chore(release): 3.11.1

Co-authored-by: sergargar <sergargar@users.noreply.github.com>

.github/workflows/pull-request.yml

@@ -7,26 +7,38 @@ on:
   pull_request:
     branches:
       - "master"
-
 jobs:
   build:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.9"]
+        python-version: ["3.9", "3.10", "3.11"]
 
     steps:
       - uses: actions/checkout@v3
+      - name: Test if changes are in not ignored paths
+        id: are-non-ignored-files-changed
+        uses: tj-actions/changed-files@v39
+        with:
+          files: ./**
+          files_ignore: |
+            .github/**
+            README.md
+            docs/**
+            permissions/**
       - name: Install poetry
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
         run: |
-         python -m pip install --upgrade pip
-         pipx install poetry
+          python -m pip install --upgrade pip
+          pipx install poetry
       - name: Set up Python ${{ matrix.python-version }}
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
         uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python-version }}
-          cache: 'poetry'
+          cache: "poetry"
       - name: Install dependencies
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
         run: |
           poetry install
           poetry run pip list
@@ -36,29 +48,43 @@ jobs:
             ) && curl -L -o /tmp/hadolint "https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64" \
             && chmod +x /tmp/hadolint
       - name: Poetry check
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
         run: |
           poetry lock --check
       - name: Lint with flake8
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
         run: |
           poetry run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib
       - name: Checking format with black
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
         run: |
           poetry run black --check .
       - name: Lint with pylint
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
         run: |
           poetry run pylint --disable=W,C,R,E -j 0 -rn -sn prowler/
       - name: Bandit
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
         run: |
           poetry run bandit -q -lll -x '*_test.py,./contrib/' -r .
       - name: Safety
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
         run: |
           poetry run safety check
       - name: Vulture
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
         run: |
           poetry run vulture --exclude "contrib" --min-confidence 100 .
       - name: Hadolint
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
         run: |
           /tmp/hadolint Dockerfile --ignore=DL3013
       - name: Test with pytest
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
         run: |
-          poetry run pytest tests -n auto
+          poetry run pytest -n auto --cov=./prowler --cov-report=xml tests
+      - name: Upload coverage reports to Codecov
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@v3
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/pypi-release.yml

@@ -69,11 +69,3 @@ jobs:
         run: |
           poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}
           poetry publish
-      # Create pull request to github.com/Homebrew/homebrew-core to update prowler formula
-      - name: Bump Homebrew formula
-        uses: mislav/bump-homebrew-formula-action@v2
-        with:
-          formula-name: prowler
-          base-branch: release-${{ env.RELEASE_TAG }}
-        env:
-          COMMITTER_TOKEN: ${{ secrets.PROWLER_ACCESS_TOKEN }}

.gitignore

@@ -46,3 +46,8 @@ junit-reports/
 
 # .env
 .env*
+
+# Coverage
+.coverage*
+.coverage
+coverage*

.pre-commit-config.yaml

@@ -15,7 +15,7 @@ repos:
 
   ## TOML
   - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
-    rev: v2.7.0
+    rev: v2.10.0
     hooks:
       - id: pretty-format-toml
         args: [--autofix]
@@ -28,7 +28,7 @@ repos:
       - id: shellcheck
   ## PYTHON
   - repo: https://github.com/myint/autoflake
-    rev: v2.0.1
+    rev: v2.2.0
     hooks:
       - id: autoflake
         args:
@@ -45,19 +45,19 @@ repos:
         args: ["--profile", "black"]
 
   - repo: https://github.com/psf/black
-    rev: 23.1.0
+    rev: 22.12.0
     hooks:
       - id: black
 
   - repo: https://github.com/pycqa/flake8
-    rev: 6.0.0
+    rev: 6.1.0
     hooks:
       - id: flake8
         exclude: contrib
         args: ["--ignore=E266,W503,E203,E501,W605"]
 
   - repo: https://github.com/python-poetry/poetry
-    rev: 1.5.1 # add version here
+    rev: 1.6.0 # add version here
     hooks:
       - id: poetry-check
       - id: poetry-lock
@@ -75,6 +75,7 @@ repos:
         name: pylint
         entry: bash -c 'pylint --disable=W,C,R,E -j 0 -rn -sn prowler/'
         language: system
+        files: '.*\.py'
 
       - id: trufflehog
         name: TruffleHog
@@ -89,12 +90,14 @@ repos:
         name: pytest-check
         entry: bash -c 'pytest tests -n auto'
         language: system
+        files: '.*\.py'
 
       - id: bandit
         name: bandit
         description: "Bandit is a tool for finding common security issues in Python code"
         entry: bash -c 'bandit -q -lll -x '*_test.py,./contrib/' -r .'
         language: system
+        files: '.*\.py'
 
       - id: safety
         name: safety
@@ -107,3 +110,4 @@ repos:
         description: "Vulture finds unused code in Python programs."
         entry: bash -c 'vulture --exclude "contrib" --min-confidence 100 .'
         language: system
+        files: '.*\.py'

Dockerfile

@@ -1,9 +1,10 @@
-FROM python:3.9-alpine
+FROM python:3.11-alpine
 
 LABEL maintainer="https://github.com/prowler-cloud/prowler"
 
 # Update system dependencies
-RUN apk --no-cache upgrade
+#hadolint ignore=DL3018
+RUN apk --no-cache upgrade && apk --no-cache add curl
 
 # Create nonroot user
 RUN mkdir -p /home/prowler && \

Makefile

@@ -2,12 +2,19 @@
 
 ##@ Testing
 test:   ## Test with pytest
-	pytest -n auto -vvv -s -x
+	rm -rf .coverage && \
+	pytest -n auto -vvv -s --cov=./prowler --cov-report=xml tests
 
 coverage: ## Show Test Coverage
 	coverage run --skip-covered -m pytest -v && \
 	coverage report -m && \
-	rm -rf .coverage
+	rm -rf .coverage && \
+	coverage report -m
+
+coverage-html: ## Show Test Coverage
+	rm -rf ./htmlcov && \
+	coverage html && \
+	open htmlcov/index.html
 
 ##@ Linting
 format: ## Format Code

README.md

@@ -39,7 +39,7 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe
 
 | Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.cloud/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.cloud/en/latest/tutorials/misc/#categories) |
 |---|---|---|---|---|
-| AWS | 287 | 56 -> `prowler aws --list-services` | 25 -> `prowler aws --list-compliance` | 5 -> `prowler aws --list-categories` |
+| AWS | 301 | 61 -> `prowler aws --list-services` | 25 -> `prowler aws --list-compliance` | 5 -> `prowler aws --list-categories` |
 | GCP | 73 | 11 -> `prowler gcp --list-services` | 1 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`|
 | Azure | 23 | 4 -> `prowler azure --list-services` | CIS soon | 1 -> `prowler azure --list-categories` |
 | Kubernetes | Planned | - | - | - |
@@ -115,8 +115,8 @@ Make sure you have properly configured your AWS-CLI with a valid Access Key and
 
 Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the following AWS managed policies to the user or role being used:
 
-  - arn:aws:iam::aws:policy/SecurityAudit
-  - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
+  - `arn:aws:iam::aws:policy/SecurityAudit`
+  - `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`
 
   > Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json) to the role you are using.
 
@@ -178,11 +178,7 @@ Prowler will follow the same credentials search as [Google authentication librar
 2. [User credentials set up by using the Google Cloud CLI](https://cloud.google.com/docs/authentication/application-default-credentials#personal)
 3. [The attached service account, returned by the metadata server](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa)
 
-Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the following roles to the member associated with the credentials:
-
-  - Viewer
-  - Security Reviewer
-  - Stackdriver Account Viewer
+Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the `Viewer` role to the member associated with the credentials.
 
 > By default, `prowler` will scan all accessible GCP Projects, use flag `--project-ids` to specify the projects to be scanned.
 

docs/developer-guide/audit-info.md

@@ -0,0 +1,9 @@
+# Audit Info
+
+In each Prowler provider we have a Python object called `audit_info` which is in charge of keeping the credentials, the configuration and the state of each audit, and it's passed to each service during the `__init__`.
+
+- AWS: https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/lib/audit_info/models.py#L34-L54
+- GCP: https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/lib/audit_info/models.py#L7-L30
+- Azure: https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/azure/lib/audit_info/models.py#L17-L31
+
+This `audit_info` object is shared during the Prowler execution and for that reason is important to mock it in each test to isolate them. See the [testing guide](./unit-testing.md) for more information.

docs/developer-guide/checks.md

@@ -0,0 +1,316 @@
+# Create a new Check for a Provider
+
+Here you can find how to create new checks for Prowler.
+
+**To create a check is required to have a Prowler provider service already created, so if the service is not present or the attribute you want to audit is not retrieved by the service, please refer to the [Service](./services.md) documentation.**
+
+## Introduction
+To create a new check for a supported Prowler provider, you will need to create a folder with the check name inside the specific service for the selected provider.
+
+We are going to use the `ec2_ami_public` check form the `AWS` provider as an example. So the folder name will `prowler/providers/aws/services/ec2/ec2_ami_public` (following the format `prowler/providers/<provider>/services/<service>/<check_name>`), with the name of check following the pattern: `service_subservice/resource_action`.
+
+Inside that folder, we need to create three files:
+
+- An empty `__init__.py`: to make Python treat this check folder as a package.
+- A `check_name.py` with the above format containing the check's logic. Refer to the [check](./checks.md#check)
+- A `check_name.metadata.json` containing the check's metadata. Refer to the [check metadata](./checks.md#check-metadata)
+
+## Check
+
+The Prowler's check structure is very simple and following it there is nothing more to do to include a check in a provider's service because the load is done dynamically based on the paths.
+
+The following is the code for the `ec2_ami_public` check:
+```python title="Check Class"
+# At the top of the file we need to import the following:
+# - Check class which is in charge of the following:
+#   - Retrieve the check metadata and expose the `metadata()`
+#       to return a JSON representation of the metadata,
+#       read more at Check Metadata Model down below.
+#   - Enforce that each check requires to have the `execute()` function
+from prowler.lib.check.models import Check, Check_Report_AWS
+
+# Then you have to import the provider service client
+# read more at the Service documentation.
+from prowler.providers.aws.services.ec2.ec2_client import ec2_client
+
+# For each check we need to create a python class called the same as the
+# file which inherits from the Check class.
+class ec2_ami_public(Check):
+    """ec2_ami_public verifies if an EC2 AMI is publicly shared"""
+
+    # Then, within the check's class we need to create the "execute(self)"
+    # function, which is enforce by the "Check" class to implement
+    # the Check's interface and let Prowler to run this check.
+    def execute(self):
+
+        # Inside the execute(self) function we need to create
+        # the list of findings initialised to an empty list []
+        findings = []
+
+        # Then, using the service client we need to iterate by the resource we
+        # want to check, in this case EC2 AMIs stored in the
+        # "ec2_client.images" object.
+        for image in ec2_client.images:
+
+            # Once iterating for the images, we have to intialise
+            # the Check_Report_AWS class passing the check's metadata
+            # using the "metadata" function explained above.
+            report = Check_Report_AWS(self.metadata())
+
+            # For each Prowler check we MUST fill the following
+            # Check_Report_AWS fields:
+            # - region
+            # - resource_id
+            # - resource_arn
+            # - resource_tags
+            # - status
+            # - status_extended
+            report.region = image.region
+            report.resource_id = image.id
+            report.resource_arn = image.arn
+            # The resource_tags should be filled if the resource has the ability
+            # of having tags, please check the service first.
+            report.resource_tags = image.tags
+
+            # Then we need to create the business logic for the check
+            # which always should be simple because the Prowler service
+            # must do the heavy lifting and the check should be in charge
+            # of parsing the data provided
+            report.status = "PASS"
+            report.status_extended = f"EC2 AMI {image.id} is not public."
+
+            # In this example each "image" object has a boolean attribute
+            # called "public" to set if the AMI is publicly shared
+            if image.public:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"EC2 AMI {image.id} is currently public."
+                )
+
+            # Then at the same level as the "report"
+            # object we need to append it to the findings list.
+            findings.append(report)
+
+        # Last thing to do is to return the findings list to Prowler
+        return findings
+```
+
+### Check Status
+
+All the checks MUST fill the `report.status` and `report.status_extended` with the following criteria:
+
+- Status -- `report.status`
+    - `PASS` --> If the check is passing against the configured value.
+    - `FAIL` --> If the check is passing against the configured value.
+    - `INFO` --> This value cannot be used unless a manual operation is required in order to determine if the `report.status` is whether `PASS` or `FAIL`.
+- Status Extended -- `report.status_extended`
+    - MUST end in a dot `.`
+    - MUST include the service audited with the resource and a brief explanation of the result generated, e.g.: `EC2 AMI ami-0123456789 is not public.`
+
+### Check Region
+
+All the checks MUST fill the `report.region` with the following criteria:
+
+- If the audited resource is regional use the `region` attribute within the resource object.
+- If the audited resource is global use the `service_client.region` within the service client object.
+
+### Resource ID, Name and ARN
+All the checks MUST fill the `report.resource_id` and `report.resource_arn` with the following criteria:
+
+- AWS
+    - Resource ID -- `report.resource_id`
+        - AWS Account --> Account Number `123456789012`
+        - AWS Resource --> Resource ID / Name
+        - Root resource --> `<root_account>`
+    - Resource ARN -- `report.resource_arn`
+        - AWS Account --> Root ARN `arn:aws:iam::123456789012:root`
+        - AWS Resource --> Resource ARN
+        - Root resource --> Root ARN `arn:aws:iam::123456789012:root`
+- GCP
+    - Resource ID -- `report.resource_id`
+        - GCP Resource --> Resource ID
+    - Resource Name -- `report.resource_name`
+        - GCP Resource --> Resource Name
+- Azure
+    - Resource ID -- `report.resource_id`
+        - Azure Resource --> Resource ID
+    - Resource Name -- `report.resource_name`
+        - Azure Resource --> Resource Name
+
+### Python Model
+The following is the Python model for the check's class.
+
+As per August 5th 2023 the `Check_Metadata_Model` can be found [here](https://github.com/prowler-cloud/prowler/blob/master/prowler/lib/check/models.py#L59-L80).
+
+```python
+class Check(ABC, Check_Metadata_Model):
+    """Prowler Check"""
+
+    def __init__(self, **data):
+        """Check's init function. Calls the CheckMetadataModel init."""
+        # Parse the Check's metadata file
+        metadata_file = (
+            os.path.abspath(sys.modules[self.__module__].__file__)[:-3]
+            + ".metadata.json"
+        )
+        # Store it to validate them with Pydantic
+        data = Check_Metadata_Model.parse_file(metadata_file).dict()
+        # Calls parents init function
+        super().__init__(**data)
+
+    def metadata(self) -> dict:
+        """Return the JSON representation of the check's metadata"""
+        return self.json()
+
+    @abstractmethod
+    def execute(self):
+        """Execute the check's logic"""
+```
+
+### Using the audit config
+
+Prowler has a [configuration file](../tutorials/configuration_file.md) which is used to pass certain configuration values to the checks, like the following:
+
+```python title="ec2_securitygroup_with_many_ingress_egress_rules.py"
+class ec2_securitygroup_with_many_ingress_egress_rules(Check):
+    def execute(self):
+        findings = []
+
+        # max_security_group_rules, default: 50
+        max_security_group_rules = ec2_client.audit_config.get(
+            "max_security_group_rules", 50
+        )
+        for security_group in ec2_client.security_groups:
+```
+
+```yaml title="config.yaml"
+# AWS Configuration
+aws:
+  # AWS EC2 Configuration
+
+  # aws.ec2_securitygroup_with_many_ingress_egress_rules
+  # The default value is 50 rules
+  max_security_group_rules: 50
+```
+
+As you can see in the above code, within the service client, in this case the `ec2_client`, there is an object called `audit_config` which is a Python dictionary containing the values read from the configuration file.
+
+In order to use it, you have to check first if the value is present in the configuration file. If the value is not present, you can create it in the `config.yaml` file and then, read it from the check.
+> It is mandatory to always use the `dictionary.get(value, default)` syntax to set a default value in the case the configuration value is not present.
+
+
+## Check Metadata
+
+Each Prowler check has metadata associated which is stored at the same level of the check's folder in a file called A `check_name.metadata.json` containing the check's metadata.
+
+> We are going to include comments in this example metadata JSON but they cannot be included because the JSON format does not allow comments.
+
+```json
+{
+  # Provider holds the Prowler provider which the checks belongs to
+  "Provider": "aws",
+  # CheckID holds check name
+  "CheckID": "ec2_ami_public",
+  # CheckTitle holds the title of the check
+  "CheckTitle": "Ensure there are no EC2 AMIs set as Public.",
+  # CheckType holds Software and Configuration Checks, check more here
+  # https://docs.aws.amazon.com/securityhub/latest/userguide/asff-required-attributes.html#Types
+  "CheckType": [
+    "Infrastructure Security"
+  ],
+  # ServiceName holds the provider service name
+  "ServiceName": "ec2",
+  # SubServiceName holds the service's subservice or resource used by the check
+  "SubServiceName": "ami",
+  # ResourceIdTemplate holds the unique ID for the resource used by the check
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  # Severity holds the check's severity, always in lowercase (critical, high, medium, low or informational)
+  "Severity": "critical",
+  # ResourceType only for AWS, holds the type from here
+  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html
+  "ResourceType": "Other",
+  # Description holds the title of the check, for now is the same as CheckTitle
+  "Description": "Ensure there are no EC2 AMIs set as Public.",
+  # Risk holds the check risk if the result is FAIL
+  "Risk": "When your AMIs are publicly accessible, they are available in the Community AMIs where everyone with an AWS account can use them to launch EC2 instances. Your AMIs could contain snapshots of your applications (including their data), therefore exposing your snapshots in this manner is not advised.",
+  # RelatedUrl holds an URL with more information about the check purpose
+  "RelatedUrl": "",
+  # Remediation holds the information to help the practitioner to fix the issue in the case of the check raise a FAIL
+  "Remediation": {
+    # Code holds different methods to remediate the FAIL finding
+    "Code": {
+      # CLI holds the command in the provider native CLI to remediate it
+      "CLI": "https://docs.bridgecrew.io/docs/public_8#cli-command",
+      # NativeIaC holds the native IaC code to remediate it, use "https://docs.bridgecrew.io/docs"
+      "NativeIaC": "",
+      # Other holds the other commands, scripts or code to remediate it, use "https://www.trendmicro.com/cloudoneconformity"
+      "Other": "https://docs.bridgecrew.io/docs/public_8#aws-console",
+      # Terraform holds the Terraform code to remediate it, use "https://docs.bridgecrew.io/docs"
+      "Terraform": ""
+    },
+    # Recommendation holds the recommendation for this check with a description and a related URL
+    "Recommendation": {
+      "Text": "We recommend your EC2 AMIs are not publicly accessible, or generally available in the Community AMIs.",
+      "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cancel-sharing-an-AMI.html"
+    }
+  },
+  # Categories holds the category or categories where the check can be included, if applied
+  "Categories": [
+    "internet-exposed"
+  ],
+  # DependsOn is not actively used for the moment but it will hold other
+  # checks wich this check is dependant to
+  "DependsOn": [],
+  # RelatedTo is not actively used for the moment but it will hold other
+  # checks wich this check is related to
+  "RelatedTo": [],
+  # Notes holds additional information not covered in this file
+  "Notes": ""
+}
+```
+
+### Remediation Code
+
+For the Remediation Code we use the following knowledge base to fill it:
+
+- Official documentation for the provider
+- https://docs.bridgecrew.io
+- https://www.trendmicro.com/cloudoneconformity
+- https://github.com/cloudmatos/matos/tree/master/remediations
+
+### RelatedURL and Recommendation
+
+The RelatedURL field must be filled with an URL from the provider's official documentation like https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html
+
+Also, if not present you can use the Risk and Recommendation texts from the TrendMicro [CloudConformity](https://www.trendmicro.com/cloudoneconformity) guide.
+
+
+### Python Model
+The following is the Python model for the check's metadata model. We use the Pydantic's [BaseModel](https://docs.pydantic.dev/latest/api/base_model/#pydantic.BaseModel) as the parent class.
+
+As per August 5th 2023 the `Check_Metadata_Model` can be found [here](https://github.com/prowler-cloud/prowler/blob/master/prowler/lib/check/models.py#L34-L56).
+```python
+class Check_Metadata_Model(BaseModel):
+    """Check Metadata Model"""
+
+    Provider: str
+    CheckID: str
+    CheckTitle: str
+    CheckType: list[str]
+    ServiceName: str
+    SubServiceName: str
+    ResourceIdTemplate: str
+    Severity: str
+    ResourceType: str
+    Description: str
+    Risk: str
+    RelatedUrl: str
+    Remediation: Remediation
+    Categories: list[str]
+    DependsOn: list[str]
+    RelatedTo: list[str]
+    Notes: str
+    # We set the compliance to None to
+    # store the compliance later if supplied
+    Compliance: list = None
+```

docs/developer-guide/documentation.md

@@ -0,0 +1,8 @@
+## Contribute with documentation
+
+We use `mkdocs` to build this Prowler documentation site so you can easily contribute back with new docs or improving them.
+
+1. Install `mkdocs` with your favorite package manager.
+2. Inside the `prowler` repository folder run `mkdocs serve` and point your browser to `http://localhost:8000` and you will see live changes to your local copy of this documentation site.
+3. Make all needed changes to docs or add new documents. To do so just edit existing md files inside `prowler/docs` and if you are adding a new section or file please make sure you add it to `mkdocs.yaml` file in the root folder of the Prowler repo.
+4. Once you are done with changes, please send a pull request to us for review and merge. Thank you in advance!

docs/developer-guide/integration-testing.md

@@ -0,0 +1,3 @@
+# Integration Tests
+
+Coming soon ...

docs/developer-guide/integrations.md

@@ -0,0 +1,3 @@
+# Create a new integration
+
+Coming soon ...

docs/developer-guide/introduction.md

@@ -0,0 +1,59 @@
+# Developer Guide
+
+You can extend Prowler in many different ways, in most cases you will want to create your own checks and compliance security frameworks, here is where you can learn about how to get started with it. We also include how to create custom outputs, integrations and more.
+
+## Get the code and install all dependencies
+
+First of all, you need a version of Python 3.9 or higher and also pip installed to be able to install all dependencies required. Once that is satisfied go a head and clone the repo:
+
+```
+git clone https://github.com/prowler-cloud/prowler
+cd prowler
+```
+For isolation and avoid conflicts with other environments, we recommend usage of `poetry`:
+```
+pip install poetry
+```
+Then install all dependencies including the ones for developers:
+```
+poetry install
+poetry shell
+```
+
+## Contributing with your code or fixes to Prowler
+
+This repo has git pre-commit hooks managed via the [pre-commit](https://pre-commit.com/) tool. [Install](https://pre-commit.com/#install) it how ever you like, then in the root of this repo run:
+```shell
+pre-commit install
+```
+You should get an output like the following:
+```shell
+pre-commit installed at .git/hooks/pre-commit
+```
+
+Before we merge any of your pull requests we pass checks to the code, we use the following tools and automation to make sure the code is secure and dependencies up-to-dated (these should have been already installed if you ran `pipenv install -d`):
+
+- [`bandit`](https://pypi.org/project/bandit/) for code security review.
+- [`safety`](https://pypi.org/project/safety/) and [`dependabot`](https://github.com/features/security) for dependencies.
+- [`hadolint`](https://github.com/hadolint/hadolint) and [`dockle`](https://github.com/goodwithtech/dockle) for our containers security.
+- [`Snyk`](https://docs.snyk.io/integrations/snyk-container-integrations/container-security-with-docker-hub-integration) in Docker Hub.
+- [`clair`](https://github.com/quay/clair) in Amazon ECR.
+- [`vulture`](https://pypi.org/project/vulture/), [`flake8`](https://pypi.org/project/flake8/), [`black`](https://pypi.org/project/black/) and [`pylint`](https://pypi.org/project/pylint/) for formatting and best practices.
+
+You can see all dependencies in file `pyproject.toml`.
+
+## Pull Request Checklist
+
+If you create or review a PR in https://github.com/prowler-cloud/prowler please follow this checklist:
+
+- [ ] Make sure you've read the Prowler Developer Guide at https://docs.prowler.cloud/en/latest/developer-guide/introduction/
+- [ ] Are we following the style guide, hence installed all the linters and formatters? Please check https://docs.prowler.cloud/en/latest/developer-guide/introduction/#contributing-with-your-code-or-fixes-to-prowler
+- [ ] Are we increasing/decreasing the test coverage? Please, review if we need to include/modify tests for the new code.
+- [ ] Are we modifying outputs? Please review it carefully.
+- [ ] Do we need to modify the Prowler documentation to reflect the changes introduced?
+- [ ] Are we introducing possible breaking changes? Are we modifying a core feature?
+
+
+## Want some swag as appreciation for your contribution?
+
+If you are like us and you love swag, we are happy to thank you for your contribution with some laptop stickers or whatever other swag we may have at that time. Please, tell us more details and your pull request link in our [Slack workspace here](https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog). You can also reach out to Toni de la Fuente on Twitter [here](https://twitter.com/ToniBlyx), his DMs are open.

docs/developer-guide/outputs.md

@@ -0,0 +1,3 @@
+# Create a custom output format
+
+Coming soon ...

docs/developer-guide/security-compliance-framework.md

@@ -0,0 +1,41 @@
+# Create a new security compliance framework
+
+
+## Introduction
+If you want to create or contribute with your own security frameworks or add public ones to Prowler you need to make sure the checks are available if not you have to create your own. Then create a compliance file per provider like in `prowler/compliance/<provider>/` and name it as `<framework>_<version>_<provider>.json` then follow the following format to create yours.
+
+## Compliance Framework
+Each file version of a framework will have the following structure at high level with the case that each framework needs to be generally identified, one requirement can be also called one control but one requirement can be linked to multiple prowler checks.:
+
+- `Framework`: string. Distinguish name of the framework, like CIS
+- `Provider`: string. Provider where the framework applies, such as AWS, Azure, OCI,...
+- `Version`: string. Version of the framework itself, like 1.4 for CIS.
+- `Requirements`: array of objects. Include all requirements or controls with the mapping to Prowler.
+- `Requirements_Id`: string. Unique identifier per each requirement in the specific framework
+- `Requirements_Description`: string. Description as in the framework.
+- `Requirements_Attributes`: array of objects. Includes all needed attributes per each requirement, like levels, sections, etc. Whatever helps to create a dedicated report with the result of the findings. Attributes would be taken as closely as possible from the framework's own terminology directly.
+- `Requirements_Checks`: array. Prowler checks that are needed to prove this requirement. It can be one or multiple checks. In case of no automation possible this can be empty.
+
+```
+{
+  "Framework": "<framework>-<provider>",
+  "Version": "<version>",
+  "Requirements": [
+    {
+      "Id": "<unique-id>",
+      "Description": "Requiemente full description",
+      "Checks": [
+        "Here is the prowler check or checks that is going to be executed"
+      ],
+      "Attributes": [
+        {
+         <Add here your custom attributes.>
+        }
+      ]
+    },
+    ...
+  ]
+}
+```
+
+Finally, to have a proper output file for your reports, your framework data model has to be created in `prowler/lib/outputs/models.py` and also the CLI table output in `prowler/lib/outputs/compliance.py`.

docs/developer-guide/services.md

@@ -0,0 +1,235 @@
+# Create a new Provider Service
+
+Here you can find how to create a new service, or to complement an existing one, for a Prowler Provider.
+
+## Introduction
+
+To create a new service, you will need to create a folder inside the specific provider, i.e. `prowler/providers/<provider>/services/<service>/`.
+
+Inside that folder, you MUST create the following files:
+
+- An empty `__init__.py`: to make Python treat this service folder as a package.
+- A `<service>_service.py`, containing all the service's logic and API calls.
+- A `<service>_client_.py`, containing the initialization of the service's class we have just created so the checks's checks can use it.
+
+## Service
+
+The Prowler's service structure is the following and the way to initialise it is just by importing the service client in a check.
+
+## Service Base Class
+
+All the Prowler provider's services inherits from a base class depending on the provider used.
+
+- [AWS Service Base Class](https://github.com/prowler-cloud/prowler/blob/22f8855ad7dad2e976dabff78611b643e234beaf/prowler/providers/aws/lib/service/service.py)
+- [GCP Service Base Class](https://github.com/prowler-cloud/prowler/blob/22f8855ad7dad2e976dabff78611b643e234beaf/prowler/providers/gcp/lib/service/service.py)
+- [Azure Service Base Class](https://github.com/prowler-cloud/prowler/blob/22f8855ad7dad2e976dabff78611b643e234beaf/prowler/providers/azure/lib/service/service.py)
+
+Each class is used to initialize the credentials and the API's clients to be used in the service. If some threading is used it must be coded there.
+
+## Service Class
+
+Due to the complexity and differencies of each provider API we are going to use an example service to guide you in how can it be created.
+
+The following is the `<service>_service.py` file:
+
+```python title="Service Class"
+from datetime import datetime
+from typing import Optional
+
+# The following is just for the AWS provider
+from botocore.client import ClientError
+
+# To use the Pydantic's BaseModel
+from pydantic import BaseModel
+
+# Prowler logging library
+from prowler.lib.logger import logger
+
+# Prowler resource filter, only for the AWS provider
+from prowler.lib.scan_filters.scan_filters import is_resource_filtered
+
+# Provider parent class
+from prowler.providers.<provider>.lib.service.service import ServiceParentClass
+
+
+# Create a class for the Service
+################## <Service>
+class <Service>(ServiceParentClass):
+    def __init__(self, audit_info):
+        # Call Service Parent Class __init__
+        # We use the __class__.__name__ to get it automatically
+        # from the Service Class name but you can pass a custom
+        # string if the provider's API service name is different
+        super().__init__(__class__.__name__, audit_info)
+
+        # Create an empty dictionary of items to be gathered,
+        # using the unique ID as the dictionary key
+        # e.g., instances
+        self.<items> = {}
+
+        # If you can parallelize by regions or locations
+        # you can use the __threading_call__ function
+        # available in the Service Parent Class
+        self.__threading_call__(self.__describe_<items>__)
+
+        # Optionally you can create another function to retrieve
+        # more data about each item without parallel
+        self.__describe_<item>__()
+
+    def __describe_<items>__(self, regional_client):
+        """Get ALL <Service> <Items>"""
+        logger.info("<Service> - Describing <Items>...")
+
+        # We MUST include a try/except block in each function
+        try:
+
+            # Call to the provider API to retrieve the data we want
+            describe_<items>_paginator = regional_client.get_paginator("describe_<items>")
+
+            # Paginator to get every item
+            for page in describe_<items>_paginator.paginate():
+
+                # Another try/except within the loop for to continue looping
+                # if something unexpected happens
+                try:
+
+                    for <item> in page["<Items>"]:
+
+                        # For the AWS provider we MUST include the following lines to retrieve
+                        # or not data for the resource passed as argument using the --resource-arn
+                        if not self.audit_resources or (
+                            is_resource_filtered(<item>["<item_arn>"], self.audit_resources)
+                        ):
+                            # Then we have to include the retrieved resource in the object
+                            # previously created
+                            self.<items>[<item_unique_id>] =
+                                <Item>(
+                                    arn=stack["<item_arn>"],
+                                    name=stack["<item_name>"],
+                                    tags=stack.get("Tags", []),
+                                    region=regional_client.region,
+                                )
+
+                except Exception as error:
+                    logger.error(
+                        f"{<provider_specific_field>} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                    )
+
+        # In the except part we have to use the following code to log the errors
+        except Exception as error:
+            # Depending on each provider we can use the following fields in the logger:
+            # - AWS: regional_client.region or self.region
+            # - GCP: project_id and location
+            # - Azure: subscription
+
+            logger.error(
+                f"{<provider_specific_field>} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
+    def __describe_<item>__(self):
+        """Get Details for a <Service> <Item>"""
+        logger.info("<Service> - Describing <Item> to get specific details...")
+
+        # We MUST include a try/except block in each function
+        try:
+
+            # Loop over the items retrieved in the previous function
+            for <item> in self.<items>:
+
+                # When we perform calls to the Provider API within a for loop we have
+                # to include another try/except block because in the cloud there are
+                # ephemeral resources that can be deleted at the time we are checking them
+                try:
+                    <item>_details = self.regional_clients[<item>.region].describe_<item>(
+                        <Attribute>=<item>.name
+                    )
+
+                    # For example, check if item is Public. Here is important if we are
+                    # getting values from a dictionary we have to use the "dict.get()"
+                    # function with a default value in the case this value is not present
+                    <item>.public = <item>_details.get("Public", False)
+
+
+                # In this except block, for example for the AWS Provider we can use
+                # the botocore.ClientError exception and check for a specific error code
+                # to raise a WARNING instead of an ERROR if some resource is not present.
+                except ClientError as error:
+                    if error.response["Error"]["Code"] == "InvalidInstanceID.NotFound":
+                        logger.warning(
+                            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                        )
+                    else:
+                        logger.error(
+                            f"{<provider_specific_field>} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                        )
+                    continue
+
+         # In the except part we have to use the following code to log the errors
+        except Exception as error:
+            # Depending on each provider we can use the following fields in the logger:
+            # - AWS: regional_client.region or self.region
+            # - GCP: project_id and location
+            # - Azure: subscription
+
+            logger.error(
+                f"{<item>.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+```
+
+### Service Models
+
+For each class object we need to model we use the Pydantic's [BaseModel](https://docs.pydantic.dev/latest/api/base_model/#pydantic.BaseModel) to take advantage of the data validation.
+
+```python title="Service Model"
+# In each service class we have to create some classes using
+# the Pydantic's Basemodel for the resources we want to audit.
+class <Item>(BaseModel):
+    """<Item> holds a <Service> <Item>"""
+
+    arn: str
+    """<Items>[].arn"""
+
+    name: str
+    """<Items>[].name"""
+
+    region: str
+    """<Items>[].region"""
+
+    public: bool
+    """<Items>[].public"""
+
+    # We can create Optional attributes set to None by default
+    tags: Optional[list]
+     """<Items>[].tags"""
+```
+### Service Objects
+In the service each group of resources should be created as a Python [dictionary](https://docs.python.org/3/tutorial/datastructures.html#dictionaries). This is because we are performing lookups all the time and the Python dictionary lookup has [O(1) complexity](https://en.wikipedia.org/wiki/Big_O_notation#Orders_of_common_functions).
+
+We MUST set as the dictionary key a unique ID, like the resource Unique ID or ARN.
+
+Example:
+```python
+self.vpcs = {}
+self.vpcs["vpc-01234567890abcdef"] = VPC_Object_Class()
+```
+
+## Service Client
+
+Each Prowler service requires a service client to use the service in the checks.
+
+The following is the `<service>_client.py` containing the initialization of the service's class we have just created so the service's checks can use them:
+
+```python
+from prowler.providers.<provider>.lib.audit_info.audit_info import audit_info
+from prowler.providers.<provider>.services.<service>.<service>_service import <Service>
+
+<service>_client = <Service>(audit_info)
+```
+
+## Permissions
+
+It is really important to check if the current Prowler's permissions for each provider are enough to implement a new service. If we need to include more please refer to the following documentaion and update it:
+
+- AWS: https://docs.prowler.cloud/en/latest/getting-started/requirements/#aws-authentication
+- Azure: https://docs.prowler.cloud/en/latest/getting-started/requirements/#permissions
+- GCP: https://docs.prowler.cloud/en/latest/getting-started/requirements/#gcp-authentication

docs/developer-guide/unit-testing.md

@@ -0,0 +1,592 @@
+# Unit Tests
+
+The unit tests for the Prowler checks varies between each provider supported.
+
+Here we left some good reads about unit testing and things we've learnt through all the process.
+
+**Python Testing**
+
+- https://docs.python-guide.org/writing/tests/
+
+**Where to patch**
+
+- https://docs.python.org/3/library/unittest.mock.html#where-to-patch
+- https://stackoverflow.com/questions/893333/multiple-variables-in-a-with-statement
+- ​https://docs.python.org/3/reference/compound_stmts.html#the-with-statement
+
+**Utils to trace mocking and test execution**
+
+- https://news.ycombinator.com/item?id=36054868
+- https://docs.python.org/3/library/sys.html#sys.settrace
+- https://github.com/kunalb/panopticon
+
+## General Recommendations
+
+When creating tests for some provider's checks we follow these guidelines trying to cover as much test scenarios as possible:
+
+1. Create a test without resource to generate 0 findings, because Prowler will generate 0 findings if a service does not contain the resources the check is looking for audit.
+2. Create test to generate both a `PASS` and a `FAIL` result.
+3. Create tests with more than 1 resource to evaluate how the check behaves and if the number of findings is right.
+
+## How to run Prowler tests
+
+To run the Prowler test suite you need to install the testing dependencies already included in the `pyproject.toml` file. If you didn't install it yet please read the developer guide introduction [here](./introduction.md#get-the-code-and-install-all-dependencies).
+
+Then in the project's root path execute `pytest -n auto -vvv -s -x` or use the `Makefile` with `make test`.
+
+Other commands to run tests:
+
+- Run tests for a provider: `pytest -n auto -vvv -s -x tests/providers/<provider>/services`
+- Run tests for a provider service: `pytest -n auto -vvv -s -x tests/providers/<provider>/services/<service>`
+- Run tests for a provider check: `pytest -n auto -vvv -s -x tests/providers/<provider>/services/<service>/<check>`
+
+> Refer to the [pytest documentation](https://docs.pytest.org/en/7.1.x/getting-started.html) documentation for more information.
+
+## AWS
+
+For the AWS provider we have ways to test a Prowler check based on the following criteria:
+
+> Note: We use and contribute to the [Moto](https://github.com/getmoto/moto) library which allows us to easily mock out tests based on AWS infrastructure. **It's awesome!**
+
+- AWS API calls covered by [Moto](https://github.com/getmoto/moto):
+    - Service tests with `@mock_<service>`
+    - Checks tests with `@mock_<service>`
+- AWS API calls not covered by Moto:
+    - Service test with `mock_make_api_call`
+    - Checks tests with [MagicMock](https://docs.python.org/3/library/unittest.mock.html#unittest.mock.MagicMock)
+- AWS API calls partially covered by Moto:
+    - Service test with `@mock_<service>` and `mock_make_api_call`
+    - Checks tests with `@mock_<service>` and `mock_make_api_call`
+
+In the following section we are going to explain all of the above scenarios with examples. The main difference between those scenarios comes from if the [Moto](https://github.com/getmoto/moto) library covers the AWS API calls made by the service. You can check the covered API calls [here](https://github.com/getmoto/moto/blob/master/IMPLEMENTATION_COVERAGE.md).
+
+An important point for the AWS testing is that in each check we MUST have a unique `audit_info` which is the key object during the AWS execution to isolate the test execution.
+
+Check the [Audit Info](./audit-info.md) section to get more details.
+
+```python
+# We need to import the AWS_Audit_Info and the Audit_Metadata
+# to set the audit_info to call AWS APIs
+from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
+from prowler.providers.common.models import Audit_Metadata
+
+AWS_ACCOUNT_NUMBER = "123456789012"
+
+def set_mocked_audit_info(self):
+  audit_info = AWS_Audit_Info(
+      session_config=None,
+      original_session=None,
+      audit_session=session.Session(
+          profile_name=None,
+          botocore_session=None,
+      ),
+      audit_config=None,
+      audited_account=AWS_ACCOUNT_NUMBER,
+      audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
+      audited_user_id=None,
+      audited_partition="aws",
+      audited_identity_arn=None,
+      profile=None,
+      profile_region=None,
+      credentials=None,
+      assumed_role_info=None,
+      audited_regions=["us-east-1", "eu-west-1"],
+      organizations_metadata=None,
+      audit_resources=None,
+      mfa_enabled=False,
+      audit_metadata=Audit_Metadata(
+          services_scanned=0,
+          expected_checks=[],
+          completed_checks=0,
+          audit_progress=0,
+      ),
+  )
+
+  return audit_info
+```
+### Checks
+
+For the AWS tests examples we are going to use the tests for the `iam_password_policy_uppercase` check.
+
+This section is going to be divided based on the API coverage of the [Moto](https://github.com/getmoto/moto) library.
+
+#### API calls covered
+
+If the [Moto](https://github.com/getmoto/moto) library covers the API calls we want to test, we can use the `@mock_<service>` decorator. This will mocked out all the API calls made to AWS keeping the state within the code decorated, in this case the test function.
+
+```python
+# We need to import the unittest.mock to allow us to patch some objects
+# not to use shared ones between test, hence to isolate the test
+from unittest import mock
+
+# Boto3 client and session to call the AWS APIs
+from boto3 import client, session
+
+# Moto decorator for the IAM service we want to mock
+from moto import mock_iam
+
+# Constants used
+AWS_ACCOUNT_NUMBER = "123456789012"
+AWS_REGION = "us-east-1"
+
+
+# We always name the test classes like Test_<check_name>
+class Test_iam_password_policy_uppercase:
+
+  # We include the Moto decorator for the service we want to use
+  # You can include more than one if two or more services are
+  # involved in test
+  @mock_iam
+  # We name the tests with test_<service>_<check_name>_<test_action>
+  def test_iam_password_policy_no_uppercase_flag(self):
+    # First, we have to create an IAM client
+    iam_client = client("iam", region_name=AWS_REGION)
+
+    # Then, since all the AWS accounts have a password
+    # policy we want to set to False the RequireUppercaseCharacters
+    iam_client.update_account_password_policy(RequireUppercaseCharacters=False)
+
+    # We set a mocked audit_info for AWS not to share the same audit state
+    # between checks
+    current_audit_info = self.set_mocked_audit_info()
+
+    # The Prowler service import MUST be made within the decorated
+    # code not to make real API calls to the AWS service.
+    from prowler.providers.aws.services.iam.iam_service import IAM
+
+    # Prowler for AWS uses a shared object called `current_audit_info` where it stores
+    # the audit's state, credentials and configuration.
+    with mock.patch(
+        "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
+        new=current_audit_info,
+    ),
+    # We have to mock also the iam_client from the check to enforce that the iam_client used is the one
+    # created within this check because patch != import, and if you execute tests in parallel some objects
+    # can be already initialised hence the check won't be isolated
+      mock.patch(
+        "prowler.providers.aws.services.iam.iam_password_policy_uppercase.iam_password_policy_uppercase.iam_client",
+        new=IAM(current_audit_info),
+    ):
+        # We import the check within the two mocks not to initialise the iam_client with some shared information from
+        # the current_audit_info or the IAM service.
+        from prowler.providers.aws.services.iam.iam_password_policy_uppercase.iam_password_policy_uppercase import (
+            iam_password_policy_uppercase,
+        )
+
+        # Once imported, we only need to instantiate the check's class
+        check = iam_password_policy_uppercase()
+
+        # And then, call the execute() function to run the check
+        # against the IAM client we've set up.
+        result = check.execute()
+
+        # Last but not least, we need to assert all the fields
+        # from the check's results
+        assert len(results) == 1
+        assert result[0].status == "FAIL"
+        assert result[0].status_extended == "IAM password policy does not require at least one uppercase letter."
+        assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+        assert result[0].resource_id == AWS_ACCOUNT_NUMBER
+        assert result[0].resource_tags == []
+        assert result[0].region == AWS_REGION
+```
+
+#### API calls not covered
+
+If the IAM service for the check's we want to test is not covered by Moto, we have to inject the objects in the service client using [MagicMock](https://docs.python.org/3/library/unittest.mock.html#unittest.mock.MagicMock). As we have pointed above, we cannot instantiate the service since it will make real calls to the AWS APIs.
+
+> The following example uses the IAM GetAccountPasswordPolicy which is covered by Moto but this is only for demonstration purposes.
+
+The following code shows how to use MagicMock to create the service objects.
+
+```python
+# We need to import the unittest.mock to allow us to patch some objects
+# not to use shared ones between test, hence to isolate the test
+from unittest import mock
+
+# Constants used
+AWS_ACCOUNT_NUMBER = "123456789012"
+AWS_REGION = "us-east-1"
+
+
+# We always name the test classes like Test_<check_name>
+class Test_iam_password_policy_uppercase:
+
+  # We name the tests with test_<service>_<check_name>_<test_action>
+  def test_iam_password_policy_no_uppercase_flag(self):
+    # Mocked client with MagicMock
+    mocked_iam_client = mock.MagicMock
+
+    # Since the IAM Password Policy has their own model we have to import it
+    from prowler.providers.aws.services.iam.iam_service import PasswordPolicy
+
+    # Create the mock PasswordPolicy object
+    mocked_iam_client.password_policy = PasswordPolicy(
+        length=5,
+        symbols=True,
+        numbers=True,
+        # We set the value to False to test the check
+        uppercase=False,
+        lowercase=True,
+        allow_change=False,
+        expiration=True,
+    )
+
+    # We set a mocked audit_info for AWS not to share the same audit state
+    # between checks
+    current_audit_info = self.set_mocked_audit_info()
+
+    # In this scenario we have to mock also the IAM service and the iam_client from the check to enforce    # that the iam_client used is the one created within this check because patch != import, and if you     # execute tests in parallel some objects can be already initialised hence the check won't be isolated.
+    # In this case we don't use the Moto decorator, we use the mocked IAM client for both objects
+    with mock.patch(
+        "prowler.providers.aws.services.iam.iam_service.IAM",
+        new=mocked_iam_client,
+    ), mock.patch(
+        "prowler.providers.aws.services.iam.iam_client.iam_client",
+        new=mocked_iam_client,
+    ):
+        # We import the check within the two mocks not to initialise the iam_client with some shared information from
+        # the current_audit_info or the IAM service.
+        from prowler.providers.aws.services.iam.iam_password_policy_uppercase.iam_password_policy_uppercase import (
+            iam_password_policy_uppercase,
+        )
+
+        # Once imported, we only need to instantiate the check's class
+        check = iam_password_policy_uppercase()
+
+        # And then, call the execute() function to run the check
+        # against the IAM client we've set up.
+        result = check.execute()
+
+        # Last but not least, we need to assert all the fields
+        # from the check's results
+        assert len(results) == 1
+        assert result[0].status == "FAIL"
+        assert result[0].status_extended == "IAM password policy does not require at least one uppercase letter."
+        assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+        assert result[0].resource_id == AWS_ACCOUNT_NUMBER
+        assert result[0].resource_tags == []
+        assert result[0].region == AWS_REGION
+```
+
+As it can be seen in the above scenarios, the check execution should always be into the context of mocked/patched objects. This way we ensure it reviews only the objects created under the scope the test.
+
+#### API calls partially covered
+
+If the API calls we want to use in the service are partially covered by the Moto decorator we have to create our own mocked API calls to use it in combination.
+
+To do so, you need to mock the `botocore.client.BaseClient._make_api_call` function, which is the Boto3 function in charge of making the real API call to the AWS APIs, using `mock.patch <https://docs.python.org/3/library/unittest.mock.html#patch>`:
+
+
+```python
+
+import boto3
+import botocore
+from unittest.mock import patch
+from moto import mock_iam
+
+# Original botocore _make_api_call function
+orig = botocore.client.BaseClient._make_api_call
+
+# Mocked botocore _make_api_call function
+def mock_make_api_call(self, operation_name, kwarg):
+    # As you can see the operation_name has the get_account_password_policy snake_case form but
+    # we are using the GetAccountPasswordPolicy form.
+    # Rationale -> https://github.com/boto/botocore/blob/develop/botocore/client.py#L810:L816
+    if operation_name == 'GetAccountPasswordPolicy':
+        return {
+            'PasswordPolicy': {
+                'MinimumPasswordLength': 123,
+                'RequireSymbols': True|False,
+                'RequireNumbers': True|False,
+                'RequireUppercaseCharacters': True|False,
+                'RequireLowercaseCharacters': True|False,
+                'AllowUsersToChangePassword': True|False,
+                'ExpirePasswords': True|False,
+                'MaxPasswordAge': 123,
+                'PasswordReusePrevention': 123,
+                'HardExpiry': True|False
+            }
+        }
+    # If we don't want to patch the API call
+    return orig(self, operation_name, kwarg)
+
+# We always name the test classes like Test_<check_name>
+class Test_iam_password_policy_uppercase:
+
+  # We include the custom API call mock decorator for the service we want to use
+  @patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
+  # We include also the IAM Moto decorator for the API calls supported
+  @mock_iam
+  # We name the tests with test_<service>_<check_name>_<test_action>
+  def test_iam_password_policy_no_uppercase_flag(self):
+    # Check the previous section to see the check test since is the same
+```
+
+Note that this does not use Moto, to keep it simple, but if you use any `moto`-decorators in addition to the patch, the call to `orig(self, operation_name, kwarg)` will be intercepted by Moto.
+
+> The above code comes from here https://docs.getmoto.org/en/latest/docs/services/patching_other_services.html
+
+#### Mocking more than one service
+
+If the test your are creating belongs to a check that uses more than one provider service, you should mock each of the services used. For example, the check `cloudtrail_logs_s3_bucket_access_logging_enabled` requires the CloudTrail and the S3 client, hence the service's mock part of the test will be as follows:
+
+
+```python
+with mock.patch(
+    "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
+    new=mock_audit_info,
+), mock.patch(
+    "prowler.providers.aws.services.cloudtrail.cloudtrail_logs_s3_bucket_access_logging_enabled.cloudtrail_logs_s3_bucket_access_logging_enabled.cloudtrail_client",
+    new=Cloudtrail(mock_audit_info),
+), mock.patch(
+    "prowler.providers.aws.services.cloudtrail.cloudtrail_logs_s3_bucket_access_logging_enabled.cloudtrail_logs_s3_bucket_access_logging_enabled.s3_client",
+    new=S3(mock_audit_info),
+):
+```
+
+
+As you can see in the above code, it is required to mock the AWS audit info and both services used.
+
+
+#### Patching vs. Importing
+
+This is an important topic within the Prowler check's unit testing. Due to the dynamic nature of the check's load, the process of importing the service client from a check is the following:
+
+1. `<check>.py`:
+```python
+from prowler.providers.<provider>.services.<service>.<service>_client import <service>_client
+```
+2. `<service>_client.py`:
+```python
+from prowler.providers.<provider>.lib.audit_info.audit_info import audit_info
+from prowler.providers.<provider>.services.<service>.<service>_service import <SERVICE>
+
+<service>_client = <SERVICE>(audit_info)
+```
+
+Due to the above import path it's not the same to patch the following objects because if you run a bunch of tests, either in parallel or not, some clients can be already instantiated by another check, hence your test execution will be using another test's service instance:
+
+- `<service>_client` imported at `<check>.py`
+- `<service>_client` initialised at `<service>_client.py`
+- `<SERVICE>` imported at `<service>_client.py`
+
+A useful read about this topic can be found in the following article: https://stackoverflow.com/questions/8658043/how-to-mock-an-import
+
+
+#### Different ways to mock the service client
+
+##### Mocking the service client at the service client level
+
+Mocking a service client using the following code ...
+
+```python title="Mocking the service_client"
+with mock.patch(
+    "prowler.providers.<provider>.lib.audit_info.audit_info.audit_info",
+    new=audit_info,
+), mock.patch(
+    "prowler.providers.aws.services.<service>.<check>.<check>.<service>_client",
+    new=<SERVICE>(audit_info),
+):
+```
+will cause that the service will be initialised twice:
+
+1. When the `<SERVICE>(audit_info)` is mocked out using `mock.patch` to have the object ready for the patching.
+2. At the `<service>_client.py` when we are patching it since the `mock.patch` needs to go to that object an initialise it, hence the `<SERVICE>(audit_info)` will be called again.
+
+Then, when we import the `<service>_client.py` at `<check>.py`, since we are mocking where the object is used, Python will use the mocked one.
+
+In the [next section](./unit-testing.md#mocking-the-service-and-the-service-client-at-the-service-client-level) you will see an improved version to mock objects.
+
+
+##### Mocking the service and the service client at the service client level
+Mocking a service client using the following code ...
+
+```python title="Mocking the service and the service_client"
+with mock.patch(
+    "prowler.providers.<provider>.lib.audit_info.audit_info.audit_info",
+    new=audit_info,
+), mock.patch(
+    "prowler.providers.aws.services.<service>.<SERVICE>",
+    new=<SERVICE>(audit_info),
+) as service_client, mock.patch(
+    "prowler.providers.aws.services.<service>.<service>_client.<service>_client",
+    new=service_client,
+):
+```
+will cause that the service will be initialised once, just when the `<SERVICE>(audit_info)` is mocked out using `mock.patch`.
+
+Then, at the check_level when Python tries to import the client with `from prowler.providers.<provider>.services.<service>.<service>_client`, since it is already mocked out, the execution will continue using the `service_client` without getting into the `<service>_client.py`.
+
+
+### Services
+
+For testing the AWS services we have to follow the same logic as with the AWS checks, we have to check if the AWS API calls made by the service are covered by Moto and we have to test the service `__init__` to verifiy that the information is being correctly retrieved.
+
+The service tests could act as *Integration Tests* since we test how the service retrieves the information from the provider, but since Moto or the custom mock objects mocks that calls this test will fall into *Unit Tests*.
+
+Please refer to the [AWS checks tests](./unit-testing.md#checks) for more information on how to create tests and check the existing services tests [here](https://github.com/prowler-cloud/prowler/tree/master/tests/providers/aws/services).
+
+## GCP
+
+### Checks
+
+For the GCP Provider we don't have any library to mock out the API calls we use. So in this scenario we inject the objects in the service client using [MagicMock](https://docs.python.org/3/library/unittest.mock.html#unittest.mock.MagicMock).
+
+The following code shows how to use MagicMock to create the service objects for a GCP check test.
+
+```python
+# We need to import the unittest.mock to allow us to patch some objects
+# not to use shared ones between test, hence to isolate the test
+from unittest import mock
+
+# GCP Constants
+GCP_PROJECT_ID = "123456789012"
+
+# We are going to create a test for the compute_firewall_rdp_access_from_the_internet_allowed check
+class Test_compute_firewall_rdp_access_from_the_internet_allowed:
+
+    # We name the tests with test_<service>_<check_name>_<test_action>
+    def test_compute_compute_firewall_rdp_access_from_the_internet_allowed_one_compliant_rule_with_valid_port(self):
+        # Mocked client with MagicMock
+        compute_client = mock.MagicMock
+
+        # Assign GCP client configuration
+        compute_client.project_ids = [GCP_PROJECT_ID]
+        compute_client.region = "global"
+
+        # Import the service resource model to create the mocked object
+        from prowler.providers.gcp.services.compute.compute_service import Firewall
+
+        # Create the custom Firewall object to be tested
+        firewall = Firewall(
+            name="test",
+            id="1234567890",
+            source_ranges=["0.0.0.0/0"],
+            direction="INGRESS",
+            allowed_rules=[{"IPProtocol": "tcp", "ports": ["443"]}],
+            project_id=GCP_PROJECT_ID,
+        )
+        compute_client.firewalls = [firewall]
+
+        # In this scenario we have to mock also the Compute service and the compute_client from the check to enforce that the compute_client used is the one created within this check because patch != import, and if you execute tests in parallel some objects can be already initialised hence the check won't be isolated.
+        # In this case we don't use the Moto decorator, we use the mocked Compute client for both objects
+        with mock.patch(
+            "prowler.providers.gcp.services.compute.compute_service.Compute",
+            new=defender_client,
+        ), mock.patch(
+            "prowler.providers.gcp.services.compute.compute_client.compute_client",
+            new=defender_client,
+        ):
+
+            # We import the check within the two mocks not to initialise the iam_client with some shared information from
+            # the current_audit_info or the Compute service.
+            from prowler.providers.gcp.services.compute.compute_firewall_rdp_access_from_the_internet_allowed.compute_firewall_rdp_access_from_the_internet_allowed import (
+                compute_firewall_rdp_access_from_the_internet_allowed,
+            )
+
+            # Once imported, we only need to instantiate the check's class
+            check = compute_firewall_rdp_access_from_the_internet_allowed()
+
+            # And then, call the execute() function to run the check
+            # against the IAM client we've set up.
+            result = check.execute()
+
+            # Last but not least, we need to assert all the fields
+            # from the check's results
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert result[0].status_extended == f"Firewall {firewall.name} does not expose port 3389 (RDP) to the internet."
+            assert result[0].resource_name = firewall.name
+            assert result[0].resource_id == firewall.id
+            assert result[0].project_id = GCP_PROJECT_ID
+            assert result[0].location = compute_client.region
+```
+
+### Services
+
+Coming soon ...
+
+## Azure
+
+### Checks
+
+For the Azure Provider we don't have any library to mock out the API calls we use. So in this scenario we inject the objects in the service client using [MagicMock](https://docs.python.org/3/library/unittest.mock.html#unittest.mock.MagicMock).
+
+The following code shows how to use MagicMock to create the service objects for a Azure check test.
+
+```python
+# We need to import the unittest.mock to allow us to patch some objects
+# not to use shared ones between test, hence to isolate the test
+from unittest import mock
+
+from uuid import uuid4
+
+# Azure Constants
+AZURE_SUSCRIPTION = str(uuid4())
+
+
+
+# We are going to create a test for the Test_defender_ensure_defender_for_arm_is_on check
+class Test_defender_ensure_defender_for_arm_is_on:
+
+    # We name the tests with test_<service>_<check_name>_<test_action>
+    def test_defender_defender_ensure_defender_for_arm_is_on_arm_pricing_tier_not_standard(self):
+        resource_id = str(uuid4())
+
+        # Mocked client with MagicMock
+        defender_client = mock.MagicMock
+
+        # Import the service resource model to create the mocked object
+        from prowler.providers.azure.services.defender.defender_service import Defender_Pricing
+
+        # Create the custom Defender object to be tested
+        defender_client.pricings = {
+            AZURE_SUSCRIPTION: {
+                "Arm": Defender_Pricing(
+                    resource_id=resource_id,
+                    pricing_tier="Not Standard",
+                    free_trial_remaining_time=0,
+                )
+            }
+        }
+
+        # In this scenario we have to mock also the Defender service and the defender_client from the check to enforce that the defender_client used is the one created within this check because patch != import, and if you execute tests in parallel some objects can be already initialised hence the check won't be isolated.
+        # In this case we don't use the Moto decorator, we use the mocked Defender client for both objects
+        with mock.patch(
+            "prowler.providers.azure.services.defender.defender_service.Defender",
+            new=defender_client,
+        ), mock.patch(
+            "prowler.providers.azure.services.defender.defender_client.defender_client",
+            new=defender_client,
+        ):
+
+            # We import the check within the two mocks not to initialise the iam_client with some shared information from
+            # the current_audit_info or the Defender service.
+            from prowler.providers.azure.services.defender.defender_ensure_defender_for_arm_is_on.defender_ensure_defender_for_arm_is_on import (
+                defender_ensure_defender_for_arm_is_on,
+            )
+
+            # Once imported, we only need to instantiate the check's class
+            check = defender_ensure_defender_for_arm_is_on()
+
+            # And then, call the execute() function to run the check
+            # against the IAM client we've set up.
+            result = check.execute()
+
+            # Last but not least, we need to assert all the fields
+            # from the check's results
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Defender plan Defender for ARM from subscription {AZURE_SUSCRIPTION} is set to OFF (pricing tier not standard)"
+            )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert result[0].resource_name == "Defender plan ARM"
+            assert result[0].resource_id == resource_id
+```
+
+### Services
+
+Coming soon ...

docs/getting-started/requirements.md

@@ -23,8 +23,8 @@ export AWS_SESSION_TOKEN="XXXXXXXXX"
 
 Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the following AWS managed policies to the user or role being used:
 
-  - arn:aws:iam::aws:policy/SecurityAudit
-  - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
+  - `arn:aws:iam::aws:policy/SecurityAudit`
+  - `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`
 
   > Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json) to the role you are using.
 
@@ -97,10 +97,6 @@ Prowler will follow the same credentials search as [Google authentication librar
 2. [User credentials set up by using the Google Cloud CLI](https://cloud.google.com/docs/authentication/application-default-credentials#personal)
 3. [The attached service account, returned by the metadata server](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa)
 
-Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the following roles to the member associated with the credentials:
-
-  - Viewer
-  - Security Reviewer
-  - Stackdriver Account Viewer
+Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the `Viewer` role to the member associated with the credentials.
 
 > By default, `prowler` will scan all accessible GCP Projects, use flag `--project-ids` to specify the projects to be scanned.

docs/index.md

@@ -10,9 +10,9 @@
 For **Prowler v2 Documentation**, please go [here](https://github.com/prowler-cloud/prowler/tree/2.12.0) to the branch and its README.md.
 
 - You are currently in the **Getting Started** section where you can find general information and requirements to help you start with the tool.
-- In the [Tutorials](tutorials/overview) section you will see how to take advantage of all the features in Prowler.
-- In the [Contact Us](contact) section you can find how to reach us out in case of technical issues.
-- In the [About](about) section you will find more information about the Prowler team and license.
+- In the [Tutorials](./tutorials/misc.md) section you will see how to take advantage of all the features in Prowler.
+- In the [Contact Us](./contact.md) section you can find how to reach us out in case of technical issues.
+- In the [About](./about.md) section you will find more information about the Prowler team and license.
 
 ## About Prowler
 
@@ -201,7 +201,7 @@ To run Prowler, you will need to specify the provider (e.g aws, gcp or azure):
 prowler <provider>
 ```
 ![Prowler Execution](img/short-display.png)
-> Running the `prowler` command without options will use your environment variable credentials, see [Requirements](getting-started/requirements/) section to review the credentials settings.
+> Running the `prowler` command without options will use your environment variable credentials, see [Requirements](./getting-started/requirements.md) section to review the credentials settings.
 
 If you miss the former output you can use `--verbose` but Prowler v3 is smoking fast, so you won't see much ;)
 

docs/troubleshooting.md

@@ -11,4 +11,4 @@
     This error is also related with a lack of system requirements. To improve performance, Prowler stores information in memory so it may need to be run in a system with more than 1GB of memory.
 
 
-See section [Logging](/tutorials/logging/) for further information or [contact us](/contact/).
+See section [Logging](./tutorials/logging.md) for further information or [contact us](./contact.md).

docs/tutorials/allowlist.md

@@ -47,16 +47,6 @@ You can use `-w`/`--allowlist-file` with the path of your allowlist yaml file, b
                 - "ci-logs"           # Will ignore bucket "ci-logs" AND ALSO bucket "ci-logs-replica" in specified check and regions
                 - "logs"              # Will ignore EVERY BUCKET containing the string "logs" in specified check and regions
                 - ".+-logs"           # Will ignore all buckets containing the terms ci-logs, qa-logs, etc. in specified check and regions
-            "*":
-              Regions:
-                - "*"
-              Resources:
-                - "*"
-              Tags:
-                - "environment=dev"    # Will ignore every resource containing the tag 'environment=dev' in every account and region
-
-        "*":
-          Checks:
             "ecs_task_definitions_no_environment_secrets":
               Regions:
                 - "*"
@@ -68,6 +58,13 @@ You can use `-w`/`--allowlist-file` with the path of your allowlist yaml file, b
                 Regions:
                   - "eu-west-1"
                   - "eu-south-2"        # Will ignore every resource in check ecs_task_definitions_no_environment_secrets except the ones in account 0123456789012 located in eu-south-2 or eu-west-1
+            "*":
+              Regions:
+                - "*"
+              Resources:
+                - "*"
+              Tags:
+                - "environment=dev"    # Will ignore every resource containing the tag 'environment=dev' in every account and region
 
         "123456789012":
           Checks:
@@ -82,7 +79,26 @@ You can use `-w`/`--allowlist-file` with the path of your allowlist yaml file, b
                 Tags:
                   - "environment=prod"   # Will ignore every resource except in account 123456789012 except the ones containing the string "test" and tag environment=prod
 
+## Allowlist specific regions
+If you want to allowlist/mute failed findings only in specific regions, create a file with the following syntax and run it with `prowler aws -w allowlist.yaml`:
 
+    Allowlist:
+      Accounts:
+      "*":
+        Checks:
+          "*":
+            Regions:
+              - "ap-southeast-1"
+              - "ap-southeast-2"
+            Resources:
+              - "*"
+
+## Default AWS Allowlist
+Prowler provides you a Default AWS Allowlist with the AWS Resources that should be allowlisted such as all resources created by AWS Control Tower when setting up a landing zone.
+You can execute Prowler with this allowlist using the following command:
+```sh
+prowler aws --allowlist prowler/config/aws_allowlist.yaml
+```
 ## Supported Allowlist Locations
 
 The allowlisting flag supports the following locations:

docs/tutorials/aws/authentication.md

@@ -16,13 +16,21 @@ export AWS_SESSION_TOKEN="XXXXXXXXX"
 
 Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the following AWS managed policies to the user or role being used:
 
-  - arn:aws:iam::aws:policy/SecurityAudit
-  - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
+  - `arn:aws:iam::aws:policy/SecurityAudit`
+  - `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`
 
   > Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json) to the role you are using.
 
   > If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
 
+
+## Profiles
+
+Prowler can use your custom AWS Profile with:
+```console
+prowler <provider> -p/--profile <profile_name>
+```
+
 ## Multi-Factor Authentication
 
 If your IAM entity enforces MFA you can use `--mfa` and Prowler will ask you to input the following values to get a new session:

docs/tutorials/aws/regions-and-partitions.md

@@ -11,7 +11,14 @@ By default Prowler is able to scan the following AWS partitions:
 It is important to take into consideration that to scan the China (`aws-cn`) or GovCloud (`aws-us-gov`) partitions it is either required to have a valid region for that partition in your AWS credentials or to specify the regions you want to audit for that partition using the `-f/--region` flag.
 > Please, refer to https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials for more information about the AWS credentials configuration.
 
+Prowler can scan specific region(s) with:
+```console
+prowler aws -f/--region eu-west-1 us-east-1
+```
+
 You can get more information about the available partitions and regions in the following [Botocore](https://github.com/boto/botocore) [file](https://github.com/boto/botocore/blob/22a19ea7c4c2c4dd7df4ab8c32733cba0c7597a4/botocore/data/partitions.json).
+
+
 ## AWS China
 
 To scan your AWS account in the China partition (`aws-cn`):

docs/tutorials/aws/role-assumption.md

@@ -27,6 +27,10 @@ prowler aws -T/--session-duration <seconds> -I/--external-id <external_id> -R ar
 
 If you are using Prowler in AWS regions that are not enabled by default you need to use the argument `--sts-endpoint-region` to point the AWS STS API calls `assume-role` and `get-caller-identity` to the non-default region, e.g.: `prowler aws --sts-endpoint-region eu-south-2`.
 
+> Since v3.11.0, Prowler uses a regional token in STS sessions so it can scan all AWS regions without needing the `--sts-endpoint-region` argument.
+
+> Make sure that you have enabled the AWS Region you want to scan in BOTH AWS Accounts (assumed role account and account from which you assume the role).
+
 ## Role MFA
 
 If your IAM Role has MFA configured you can use `--mfa` along with  `-R`/`--role <role_arn>` and Prowler will ask you to input the following values to get a new temporary session for the IAM Role provided:

docs/tutorials/aws/s3.md

@@ -0,0 +1,26 @@
+# Send report to AWS S3 Bucket
+
+To save your report in an S3 bucket, use `-B`/`--output-bucket`.
+
+```sh
+prowler <provider> -B my-bucket
+```
+
+If you can use a custom folder and/or filename, use `-o`/`--output-directory` and/or `-F`/`--output-filename`.
+
+```sh
+prowler <provider> \
+        -B my-bucket \
+        --output-directory test-folder \
+        --output-filename output-filename
+```
+
+By default Prowler sends HTML, JSON and CSV output formats, if you want to send a custom output format or a single one of the defaults you can specify it with the `-M`/`--output-modes` flag.
+
+```sh
+prowler <provider> -M csv -B my-bucket
+```
+
+> In the case you do not want to use the assumed role credentials but the initial credentials to put the reports into the S3 bucket, use `-D`/`--output-bucket-no-assume` instead of `-B`/`--output-bucket`.
+
+> Make sure that the used credentials have `s3:PutObject` permissions in the S3 path where the reports are going to be uploaded.

docs/tutorials/aws/v2_to_v3_checks_mapping.md

@@ -2,7 +2,7 @@
 
 Prowler v3 comes with different identifiers but we maintained the same checks that were implemented in v2. The reason for this change is because in previous versions of Prowler, check names were mostly based on CIS Benchmark for AWS. In v3 all checks are independent from any security framework and they have its own name and ID.
 
-If you need more information about how new compliance implementation works in Prowler v3 see [Compliance](../../compliance/) section.
+If you need more information about how new compliance implementation works in Prowler v3 see [Compliance](../compliance.md) section.
 
 ```
 checks_v3_to_v2_mapping = {
@@ -12,13 +12,13 @@ checks_v3_to_v2_mapping = {
     "account_security_questions_are_registered_in_the_aws_account": "check115",
     "acm_certificates_expiration_check": "extra730",
     "acm_certificates_transparency_logs_enabled": "extra724",
-    "apigateway_authorizers_enabled": "extra746",
-    "apigateway_client_certificate_enabled": "extra743",
-    "apigateway_endpoint_public": "extra745",
-    "apigateway_logging_enabled": "extra722",
-    "apigateway_waf_acl_attached": "extra744",
-    "apigatewayv2_access_logging_enabled": "extra7156",
-    "apigatewayv2_authorizers_enabled": "extra7157",
+    "apigateway_restapi_authorizers_enabled": "extra746",
+    "apigateway_restapi_client_certificate_enabled": "extra743",
+    "apigateway_restapi_public": "extra745",
+    "apigateway_restapi_logging_enabled": "extra722",
+    "apigateway_restapi_waf_acl_attached": "extra744",
+    "apigatewayv2_api_access_logging_enabled": "extra7156",
+    "apigatewayv2_api_authorizers_enabled": "extra7157",
     "appstream_fleet_default_internet_access_disabled": "extra7193",
     "appstream_fleet_maximum_session_duration": "extra7190",
     "appstream_fleet_session_disconnect_timeout": "extra7191",
@@ -84,7 +84,7 @@ checks_v3_to_v2_mapping = {
     "ec2_ebs_snapshots_encrypted": "extra740",
     "ec2_ebs_volume_encryption": "extra729",
     "ec2_elastic_ip_shodan": "extra7102",
-    "ec2_elastic_ip_unassgined": "extra7146",
+    "ec2_elastic_ip_unassigned": "extra7146",
     "ec2_instance_imdsv2_enabled": "extra786",
     "ec2_instance_internet_facing_with_instance_profile": "extra770",
     "ec2_instance_managed_by_ssm": "extra7124",
@@ -157,9 +157,8 @@ checks_v3_to_v2_mapping = {
     "iam_administrator_access_with_mfa": "extra71",
     "iam_avoid_root_usage": "check11",
     "iam_check_saml_providers_sts": "extra733",
-    "iam_disable_30_days_credentials": "extra774",
-    "iam_disable_45_days_credentials": "extra7198",
-    "iam_disable_90_days_credentials": "check13",
+    "iam_customer_attached_policy_no_administrative_privileges": "subset of check122",
+    "iam_customer_unattached_policy_no_administrative_privileges": "subset of check122",
     "iam_no_custom_policy_permissive_role_assumption": "extra7100",
     "iam_no_expired_server_certificates_stored": "extra7199",
     "iam_no_root_access_key": "check112",
@@ -172,11 +171,12 @@ checks_v3_to_v2_mapping = {
     "iam_password_policy_uppercase": "check15",
     "iam_policy_allows_privilege_escalation": "extra7185",
     "iam_policy_attached_only_to_group_or_roles": "check116",
-    "iam_policy_no_administrative_privileges": "check122",
     "iam_root_hardware_mfa_enabled": "check114",
     "iam_root_mfa_enabled": "check113",
     "iam_rotate_access_key_90_days": "check14",
     "iam_support_role_created": "check120",
+    "iam_user_accesskey_unused": "subset of check13,extra774,extra7198",
+    "iam_user_console_access_unused": "subset of check13,extra774,extra7198",
     "iam_user_hardware_mfa_enabled": "extra7125",
     "iam_user_mfa_enabled_console_access": "check12",
     "iam_user_no_setup_initial_access_key": "check121",

docs/tutorials/azure/authentication.md

@@ -24,4 +24,4 @@ prowler azure --browser-auth --tenant-id "XXXXXXXX"
 prowler azure --managed-identity-auth
 ```
 
-To use Prowler you need to set up also the permissions required to access your resources in your Azure account, to more details refer to [Requirements](/getting-started/requirements)
+To use Prowler you need to set up also the permissions required to access your resources in your Azure account, to more details refer to [Requirements](../../getting-started/requirements.md)

docs/tutorials/check-aliases.md

@@ -0,0 +1,20 @@
+# Check Aliases
+
+Prowler allows you to use aliases for the checks. You only have to add the `CheckAliases` key to the check's metadata with a list of the aliases:
+
+    "Provider": "<provider>",
+    "CheckID": "<check_id>",
+    "CheckTitle": "<check_title>",
+    "CheckAliases": [
+      "<check_alias_1>"
+      "<check_alias_2>",
+      ...
+    ],
+    ...
+
+Then, you can execute the check either with its check ID or with one of the previous aliases:
+```console
+prowler <provider> -c/--checks <check_alias_1>
+
+Using alias <check_alias_1> for check <check_id>...
+```

docs/tutorials/configuration_file.md

@@ -9,38 +9,56 @@ Also you can input a custom configuration file using the `--config-file` argumen
 ## AWS
 
 ### Configurable Checks
-The following list includes all the checks with configurable variables that can be changed in the mentioned configuration yaml file:
+The following list includes all the AWS checks with configurable variables that can be changed in the configuration yaml file:
 
-1. aws.ec2_elastic_ip_shodan
-    - shodan_api_key (String)
-- aws.ec2_securitygroup_with_many_ingress_egress_rules
-    - max_security_group_rules (Integer)
-- aws.ec2_instance_older_than_specific_days
-    - max_ec2_instance_age_in_days (Integer)
-- aws.vpc_endpoint_connections_trust_boundaries
-    - trusted_account_ids (List of Strings)
-- aws.vpc_endpoint_services_allowed_principals_trust_boundaries
-    - trusted_account_ids (List of Strings)
-- aws.cloudwatch_log_group_retention_policy_specific_days_enabled
-    - log_group_retention_days (Integer)
-- aws.appstream_fleet_session_idle_disconnect_timeout
-    - max_idle_disconnect_timeout_in_seconds (Integer)
-- aws.appstream_fleet_session_disconnect_timeout
-    - max_disconnect_timeout_in_seconds (Integer)
-- aws.appstream_fleet_maximum_session_duration
-    - max_session_duration_seconds (Integer)
-- aws.awslambda_function_using_supported_runtimes
-    - obsolete_lambda_runtimes (List of Strings)
+| Check Name                                                    | Value                                            | Type            |
+|---------------------------------------------------------------|--------------------------------------------------|-----------------|
+| `iam_user_accesskey_unused`                                   | `max_unused_access_keys_days`                    | Integer         |
+| `iam_user_console_access_unused`                              | `max_console_access_days`                        | Integer         |
+| `ec2_elastic_ip_shodan`                                       | `shodan_api_key`                                 | String          |
+| `ec2_securitygroup_with_many_ingress_egress_rules`            | `max_security_group_rules`                       | Integer         |
+| `ec2_instance_older_than_specific_days`                       | `max_ec2_instance_age_in_days`                   | Integer         |
+| `vpc_endpoint_connections_trust_boundaries`                   | `trusted_account_ids`                            | List of Strings |
+| `vpc_endpoint_services_allowed_principals_trust_boundaries`   | `trusted_account_ids`                            | List of Strings |
+| `cloudwatch_log_group_retention_policy_specific_days_enabled` | `log_group_retention_days`                       | Integer         |
+| `appstream_fleet_session_idle_disconnect_timeout`             | `max_idle_disconnect_timeout_in_seconds`         | Integer         |
+| `appstream_fleet_session_disconnect_timeout`                  | `max_disconnect_timeout_in_seconds`              | Integer         |
+| `appstream_fleet_maximum_session_duration`                    | `max_session_duration_seconds`                   | Integer         |
+| `awslambda_function_using_supported_runtimes`                 | `obsolete_lambda_runtimes`                       | Integer         |
+| `organizations_scp_check_deny_regions`                        | `organizations_enabled_regions`                  | List of Strings |
+| `organizations_delegated_administrators`                      | `organizations_trusted_delegated_administrators` | List of Strings |
+| `ecr_repositories_scan_vulnerabilities_in_latest_image`       | `ecr_repository_vulnerability_minimum_severity`  | String          |
+| `trustedadvisor_premium_support_plan_subscribed`              | `verify_premium_support_plans`                   | Boolean         |
+| `config_recorder_all_regions_enabled`                         | `allowlist_non_default_regions`                  | Boolean         |
+| `drs_job_exist`                                               | `allowlist_non_default_regions`                  | Boolean         |
+| `guardduty_is_enabled`                                        | `allowlist_non_default_regions`                  | Boolean         |
+| `securityhub_enabled`                                         | `allowlist_non_default_regions`                  | Boolean         |
 
 ## Azure
 
+### Configurable Checks
+
 ## GCP
 
+### Configurable Checks
+
 ## Config YAML File Structure
 > This is the new Prowler configuration file format. The old one without provider keys is still compatible just for the AWS provider.
-```yaml
+
+```yaml title="config.yaml"
 # AWS Configuration
 aws:
+
+  # AWS Global Configuration
+  # aws.allowlist_non_default_regions --> Allowlist Failed Findings in non-default regions for GuardDuty, SecurityHub, DRS and Config
+  allowlist_non_default_regions: False
+
+  # AWS IAM Configuration
+  # aws.iam_user_accesskey_unused --> CIS recommends 45 days
+  max_unused_access_keys_days: 45
+  # aws.iam_user_console_access_unused --> CIS recommends 45 days
+  max_console_access_days: 45
+
   # AWS EC2 Configuration
   # aws.ec2_elastic_ip_shodan
   shodan_api_key: null
@@ -95,6 +113,17 @@ aws:
   organizations_enabled_regions: []
   organizations_trusted_delegated_administrators: []
 
+  # AWS ECR
+  # ecr_repositories_scan_vulnerabilities_in_latest_image
+  # CRITICAL
+  # HIGH
+  # MEDIUM
+  ecr_repository_vulnerability_minimum_severity: "MEDIUM"
+
+  # AWS Trusted Advisor
+  # trustedadvisor_premium_support_plan_subscribed
+  verify_premium_support_plans: True
+
 # Azure Configuration
 azure:
 

docs/tutorials/developer-guide.md

@@ -1,281 +0,0 @@
-# Developer Guide
-
-You can extend Prowler in many different ways, in most cases you will want to create your own checks and compliance security frameworks, here is where you can learn about how to get started with it. We also include how to create custom outputs, integrations and more.
-
-## Get the code and install all dependencies
-
-First of all, you need a version of Python 3.9 or higher and also pip installed to be able to install all dependencies required. Once that is satisfied go a head and clone the repo:
-
-```
-git clone https://github.com/prowler-cloud/prowler
-cd prowler
-```
-For isolation and avoid conflicts with other environments, we recommend usage of `poetry`:
-```
-pip install poetry
-```
-Then install all dependencies including the ones for developers:
-```
-poetry install
-poetry shell
-```
-
-## Contributing with your code or fixes to Prowler
-
-This repo has git pre-commit hooks managed via the pre-commit tool. Install it how ever you like, then in the root of this repo run:
-```
-pre-commit install
-```
-You should get an output like the following:
-```
-pre-commit installed at .git/hooks/pre-commit
-```
-
-Before we merge any of your pull requests we pass checks to the code, we use the following tools and automation to make sure the code is secure and dependencies up-to-dated (these should have been already installed if you ran `pipenv install -d`):
-
-- `bandit` for code security review.
-- `safety` and `dependabot` for dependencies.
-- `hadolint` and `dockle` for our containers security.
-- `snyk` in Docker Hub.
-- `clair` in Amazon ECR.
-- `vulture`, `flake8`, `black` and `pylint` for formatting and best practices.
-
-You can see all dependencies in file `Pipfile`.
-
-## Create a new check for a Provider
-
-### If the check you want to create belongs to an existing service
-
-To create a new check, you will need to create a folder inside the specific service, i.e. `prowler/providers/<provider>/services/<service>/<check_name>/`, with the name of check following the pattern: `service_subservice_action`.
-Inside that folder, create the following files:
-
-- An empty `__init__.py`: to make Python treat this check folder as a package.
-- A `check_name.py` containing the check's logic, for example:
-```
-# Import the Check_Report of the specific provider
-from prowler.lib.check.models import Check, Check_Report_AWS
-# Import the client of the specific service
-from prowler.providers.aws.services.ec2.ec2_client import ec2_client
-
-# Create the class for the check
-class ec2_ebs_volume_encryption(Check):
-    def execute(self):
-        findings = []
-        # Iterate the service's asset that want to be analyzed
-        for volume in ec2_client.volumes:
-            # Initialize a Check Report for each item and assign the region, resource_id, resource_arn and resource_tags
-            report = Check_Report_AWS(self.metadata())
-            report.region = volume.region
-            report.resource_id = volume.id
-            report.resource_arn = volume.arn
-            report.resource_tags = volume.tags
-            # Make the logic with conditions and create a PASS and a FAIL with a status and a status_extended
-            if volume.encrypted:
-                report.status = "PASS"
-                report.status_extended = f"EBS Snapshot {volume.id} is encrypted."
-            else:
-                report.status = "FAIL"
-                report.status_extended = f"EBS Snapshot {volume.id} is unencrypted."
-            findings.append(report) # Append a report for each item
-
-        return findings
-```
-- A `check_name.metadata.json` containing the check's metadata, for example:
-```
-{
-  "Provider": "aws",
-  "CheckID": "ec2_ebs_volume_encryption",
-  "CheckTitle": "Ensure there are no EBS Volumes unencrypted.",
-  "CheckType": [
-    "Data Protection"
-  ],
-  "ServiceName": "ec2",
-  "SubServiceName": "volume",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
-  "Severity": "medium",
-  "ResourceType": "AwsEc2Volume",
-  "Description": "Ensure there are no EBS Volumes unencrypted.",
-  "Risk": "Data encryption at rest prevents data visibility in the event of its unauthorized access or theft.",
-  "RelatedUrl": "",
-  "Remediation": {
-    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
-    },
-    "Recommendation": {
-      "Text": "Encrypt all EBS volumes and Enable Encryption by default You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example; Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot.",
-      "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html"
-    }
-  },
-  "Categories": [
-    "encryption"
-  ],
-  "DependsOn": [],
-  "RelatedTo": [],
-  "Notes": ""
-}
-```
-
-### If the check you want to create belongs to a service not supported already by Prowler you will need to create a new service first
-
-To create a new service, you will need to create a folder inside the specific provider, i.e. `prowler/providers/<provider>/services/<service>/`.
-Inside that folder, create the following files:
-
-- An empty `__init__.py`: to make Python treat this service folder as a package.
-- A `<service>_service.py`, containing all the service's logic and API Calls:
-```
-# You must import the following libraries
-import threading
-from typing import Optional
-
-from pydantic import BaseModel
-
-from prowler.lib.logger import logger
-from prowler.lib.scan_filters.scan_filters import is_resource_filtered
-from prowler.providers.aws.aws_provider import generate_regional_clients
-
-
-# Create a class for the Service
-################## <Service>
-class <Service>:
-    def __init__(self, audit_info):
-        self.service = "<service>" # The name of the service boto3 client
-        self.session = audit_info.audit_session
-        self.audited_account = audit_info.audited_account
-        self.audit_resources = audit_info.audit_resources
-        self.regional_clients = generate_regional_clients(self.service, audit_info)
-        self.<items> = [] # Create an empty list of the items to be gathered, e.g., instances
-        self.__threading_call__(self.__describe_<items>__)
-        self.__describe_<item>__() # Optionally you can create another function to retrieve more data about each item
-
-    def __get_session__(self):
-        return self.session
-
-    def __threading_call__(self, call):
-        threads = []
-        for regional_client in self.regional_clients.values():
-            threads.append(threading.Thread(target=call, args=(regional_client,)))
-        for t in threads:
-            t.start()
-        for t in threads:
-            t.join()
-
-    def __describe_<items>__(self, regional_client):
-        """Get ALL <Service> <Items>"""
-        logger.info("<Service> - Describing <Items>...")
-        try:
-            describe_<items>_paginator = regional_client.get_paginator("describe_<items>") # Paginator to get every item
-            for page in describe_<items>_paginator.paginate():
-                for <item> in page["<Items>"]:
-                    if not self.audit_resources or (
-                        is_resource_filtered(<item>["<item_arn>"], self.audit_resources)
-                    ):
-                        self.<items>.append(
-                            <Item>(
-                                arn=stack["<item_arn>"],
-                                name=stack["<item_name>"],
-                                tags=stack.get("Tags", []),
-                                region=regional_client.region,
-                            )
-                        )
-        except Exception as error:
-            logger.error(
-                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
-            )
-
-    def __describe_<item>__(self):
-        """Get Details for a <Service> <Item>"""
-        logger.info("<Service> - Describing <Item> to get specific details...")
-        try:
-            for <item> in self.<items>:
-                <item>_details = self.regional_clients[<item>.region].describe_<item>(
-                    <Attribute>=<item>.name
-                )
-                # For example, check if item is Public
-                <item>.public = <item>_details.get("Public", False)
-
-        except Exception as error:
-            logger.error(
-                f"{<item>.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
-            )
-
-
-class <Item>(BaseModel):
-    """<Item> holds a <Service> <Item>"""
-
-    arn: str
-    """<Items>[].Arn"""
-    name: str
-    """<Items>[].Name"""
-    public: bool
-    """<Items>[].Public"""
-    tags: Optional[list] = []
-    region: str
-
-```
-- A `<service>_client_.py`, containing the initialization of the service's class we have just created so the service's checks can use them:
-```
-from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
-from prowler.providers.aws.services.<service>.<service>_service import <Service>
-
-<service>_client = <Service>(current_audit_info)
-```
-
-## Create a new security compliance framework
-
-If you want to create or contribute with your own security frameworks or add public ones to Prowler you need to make sure the checks are available if not you have to create your own. Then create a compliance file per provider like in `prowler/compliance/aws/` and name it as `<framework>_<version>_<provider>.json` then follow the following format to create yours.
-
-Each file version of a framework will have the following structure at high level with the case that each framework needs to be generally identified, one requirement can be also called one control but one requirement can be linked to multiple prowler checks.:
-
-- `Framework`: string. Distinguish name of the framework, like CIS
-- `Provider`: string. Provider where the framework applies, such as AWS, Azure, OCI,...
-- `Version`: string. Version of the framework itself, like 1.4 for CIS.
-- `Requirements`: array of objects. Include all requirements or controls with the mapping to Prowler.
-- `Requirements_Id`: string. Unique identifier per each requirement in the specific framework
-- `Requirements_Description`: string. Description as in the framework.
-- `Requirements_Attributes`: array of objects. Includes all needed attributes per each requirement, like levels, sections, etc. Whatever helps to create a dedicated report with the result of the findings. Attributes would be taken as closely as possible from the framework's own terminology directly.
-- `Requirements_Checks`: array. Prowler checks that are needed to prove this requirement. It can be one or multiple checks. In case of no automation possible this can be empty.
-
-```
-{
-  "Framework": "<framework>-<provider>",
-  "Version": "<version>",
-  "Requirements": [
-    {
-      "Id": "<unique-id>",
-      "Description": "Requiemente full description",
-      "Checks": [
-        "Here is the prowler check or checks that is going to be executed"
-      ],
-      "Attributes": [
-        {
-         <Add here your custom attributes.>
-        }
-      ]
-    },
-    ...
-  ]
-}
-```
-
-Finally, to have a proper output file for your reports, your framework data model has to be created in `prowler/lib/outputs/models.py` and also the CLI table output in `prowler/lib/outputs/compliance.py`.
-
-
-## Create a custom output format
-
-## Create a new integration
-
-## Contribute with documentation
-
-We use `mkdocs` to build this Prowler documentation site so you can easily contribute back with new docs or improving them.
-
-1. Install `mkdocs` with your favorite package manager.
-2. Inside the `prowler` repository folder run `mkdocs serve` and point your browser to `http://localhost:8000` and you will see live changes to your local copy of this documentation site.
-3. Make all needed changes to docs or add new documents. To do so just edit existing md files inside `prowler/docs` and if you are adding a new section or file please make sure you add it to `mkdocs.yaml` file in the root folder of the Prowler repo.
-4. Once you are done with changes, please send a pull request to us for review and merge. Thank you in advance!
-
-## Want some swag as appreciation for your contribution?
-
-If you are like us and you love swag, we are happy to thank you for your contribution with some laptop stickers or whatever other swag we may have at that time. Please, tell us more details and your pull request link in our [Slack workspace here](https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog). You can also reach out to Toni de la Fuente on Twitter [here](https://twitter.com/ToniBlyx), his DMs are open.

docs/tutorials/gcp/authentication.md

@@ -22,8 +22,4 @@ Prowler will follow the same credentials search as [Google authentication librar
 2. [User credentials set up by using the Google Cloud CLI](https://cloud.google.com/docs/authentication/application-default-credentials#personal)
 3. [The attached service account, returned by the metadata server](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa)
 
-Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the following roles to the member associated with the credentials:
-
-  - Viewer
-  - Security Reviewer
-  - Stackdriver Account Viewer
+Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the `Viewer` role to the member associated with the credentials.

docs/tutorials/ignore-unused-services.md

@@ -0,0 +1,70 @@
+# Ignore Unused Services
+
+> Currently only available on the AWS provider.
+
+Prowler allows you to ignore unused services findings, so you can reduce the number of findings in Prowler's reports.
+
+```console
+prowler <provider> --ignore-unused-services
+```
+
+## Services that can be ignored
+### AWS
+#### Athena
+When you create an AWS Account, Athena will create a default primary workgroup for you.
+Prowler will check if that workgroup is enabled and if it is being used by checking if there were queries in the last 45 days.
+If not, the findings of the following checks will not appear:
+
+  - `athena_workgroup_encryption`
+  - `athena_workgroup_enforce_configuration`
+
+#### CloudTrail
+AWS CloudTrail should have at least one trail with a data event to record all S3 object-level API operations, Prowler will check first if there are S3 buckets in your account before alerting this issue.
+
+  - `cloudtrail_s3_dataevents_read_enabled`
+  - `cloudtrail_s3_dataevents_write_enabled`
+
+#### EC2
+If EBS default encyption is not enabled, sensitive information at rest is not protected in EC2. But Prowler will only create a finding if there are EBS Volumes where this default configuration could be enforced by default.
+
+  - `ec2_ebs_default_encryption`
+
+If your Security groups are not properly configured the attack surface is increased, nonetheless, Prowler will detect those security groups that are being used (they are attached) to only notify those that are being used. This logic applies to the 15 checks related to open ports in security groups.
+
+  - `ec2_securitygroup_allow_ingress_from_internet_to_port_X` (15 checks)
+
+Prowler will also check for used Network ACLs to only alerts those with open ports that are being used.
+
+  - `ec2_networkacl_allow_ingress_X_port` (3 checks)
+
+
+#### Glue
+It is a best practice to encrypt both metadata and connection passwords in AWS Glue Data Catalogs, however, Prowler will detect if the service is in use by checking if there are any Data Catalog tables.
+
+  - `glue_data_catalogs_connection_passwords_encryption_enabled`
+  - `glue_data_catalogs_metadata_encryption_enabled`
+
+#### Inspector
+Amazon Inspector is a vulnerability discovery service that automates continuous scanning for security vulnerabilities within your Amazon EC2, Amazon ECR, and AWS Lambda environments. Prowler recommends to enable it and resolve all the Inspector's findings. Ignoring the unused services, Prowler will only notify you if there are any Lambda functions, EC2 instances or ECR repositories in the region where Amazon inspector should be enabled.
+
+  - `inspector2_findings_exist`
+
+#### Macie
+Amazon Macie is a security service that uses machine learning to automatically discover, classify and protect sensitive data in S3 buckets. Prowler will only create a finding when Macie is not enabled if there are S3 buckets in your account.
+
+  - `macie_is_enabled`
+
+#### Network Firewall
+Without a network firewall, it can be difficult to monitor and control traffic within the VPC. However, Prowler will only alert you for those VPCs that are in use, in other words, only the VPCs where you have ENIs (network interfaces).
+
+  - `networkfirewall_in_all_vpc`
+
+#### S3
+You should enable Public Access Block at the account level to prevent the exposure of your data stored in S3. Prowler though will only check this block configuration if you have S3 buckets in your AWS account.
+
+  - `s3_account_level_public_access_blocks`
+
+#### VPC
+VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows. Nevertheless, Prowler will only check if the Flow Logs are enabled for those VPCs that are in use, in other words, only the VPCs where you have ENIs (network interfaces).
+
+  - `vpc_flow_logs_enabled`

docs/tutorials/misc.md

@@ -14,6 +14,11 @@ Prowler can only display the failed findings:
 ```console
 prowler <provider> -q/--quiet
 ```
+## Disable Exit Code 3
+Prowler does not trigger exit code 3 with failed checks:
+```console
+prowler <provider> -z/--ignore-exit-code-3
+```
 ## Hide Prowler Banner
 Prowler can run without showing its banner:
 ```console
@@ -65,7 +70,7 @@ The custom checks folder must contain one subfolder per check, each subfolder mu
 - A `check_name.metadata.json` containing the check's metadata.
 >The check name must start with the service name followed by an underscore (e.g., ec2_instance_public_ip).
 
-To see more information about how to write checks see the [Developer Guide](../developer-guide/#create-a-new-check-for-a-provider).
+To see more information about how to write checks see the [Developer Guide](../developer-guide/checks.md#create-a-new-check-for-a-provider).
 
 > If you want to run ONLY your custom check(s), import it with -x (--checks-folder) and then run it with -c (--checks), e.g.:
 ```console
@@ -112,16 +117,3 @@ prowler <provider> --list-categories
 ```console
 prowler  <provider> --categories
 ```
-
-## AWS
-
-### Scan specific AWS Region
-Prowler can scan specific region(s) with:
-```console
-prowler <provider> -f/--filter-region eu-west-1 us-east-1
-```
-### Use AWS Profile
-Prowler can use your custom AWS Profile with:
-```console
-prowler <provider> -p/--profile <profile_name>
-```

docs/tutorials/pentesting.md

@@ -25,7 +25,7 @@ prowler <provider> --categories secrets
 
 Several checks analyse resources that are exposed to the Internet, these are:
 
-1. apigateway_endpoint_public
+1. apigateway_restapi_public
 - appstream_fleet_default_internet_access_disabled
 - awslambda_function_not_publicly_accessible
 - ec2_ami_public

docs/tutorials/reporting.md

@@ -21,25 +21,11 @@ prowler <provider> -M csv json json-asff html -o <custom_report_directory>
 ```
 > Both flags can be used simultaneously to provide a custom directory and filename.
 ```console
-prowler <provider> -M csv json json-asff html -F <custom_report_name> -o <custom_report_directory>
+prowler <provider> -M csv json json-asff html \
+        -F <custom_report_name> -o <custom_report_directory>
 ```
-## Send report to AWS S3 Bucket
-
-To save your report in an S3 bucket, use `-B`/`--output-bucket`.
-
-```sh
-prowler <provider> -B my-bucket/folder/
-```
-
-By default Prowler sends HTML, JSON and CSV output formats, if you want to send a custom output format or a single one of the defaults you can specify it with the `-M` flag.
-
-```sh
-prowler <provider> -M csv -B my-bucket/folder/
-```
-
-> In the case you do not want to use the assumed role credentials but the initial credentials to put the reports into the S3 bucket, use `-D`/`--output-bucket-no-assume` instead of `-B`/`--output-bucket`.
-
-> Make sure that the used credentials have s3:PutObject permissions in the S3 path where the reports are going to be uploaded.
+## Output timestamp format
+By default, the timestamp format of the output files is ISO 8601. This can be changed with the flag `--unix-timestamp` generating the timestamp fields in pure unix timestamp format.
 
 ## Output Formats
 
@@ -56,12 +42,54 @@ Hereunder is the structure for each of the supported report formats by Prowler:
 ### HTML
 ![HTML Output](../img/output-html.png)
 ### CSV
-| ASSESSMENT_START_TIME | FINDING_UNIQUE_ID | PROVIDER | PROFILE | ACCOUNT_ID | ACCOUNT_NAME | ACCOUNT_EMAIL | ACCOUNT_ARN | ACCOUNT_ORG | ACCOUNT_TAGS | REGION | CHECK_ID | CHECK_TITLE | CHECK_TYPE | STATUS | STATUS_EXTENDED | SERVICE_NAME | SUBSERVICE_NAME | SEVERITY | RESOURCE_ID | RESOURCE_ARN | RESOURCE_TYPE | RESOURCE_DETAILS | RESOURCE_TAGS | DESCRIPTION | COMPLIANCE | RISK | RELATED_URL | REMEDIATION_RECOMMENDATION_TEXT | REMEDIATION_RECOMMENDATION_URL | REMEDIATION_RECOMMENDATION_CODE_NATIVEIAC | REMEDIATION_RECOMMENDATION_CODE_TERRAFORM | REMEDIATION_RECOMMENDATION_CODE_CLI | REMEDIATION_RECOMMENDATION_CODE_OTHER | CATEGORIES | DEPENDS_ON | RELATED_TO | NOTES |
-| ------- | ----------- | ------ | -------- | ------------ | ----------- | ---------- | ---------- | --------------------- | -------------------------- | -------------- | ----------------- | ------------------------ | --------------- | ---------- | ----------------- | --------- | -------------- | ----------------- | ------------------ | --------------------- | -------------------- | ------------------- | ------------------- | -------------------- | -------------------- | -------------------- | -------------------- | -------------------- | -------------------- | -------------------- | -------------------- | -------------------- | -------------------- | -------------------- | -------------------- | -------------------- | -------------------- |
 
+The following are the columns present in the CSV format:
+
+- ASSESSMENT_START_TIME
+- FINDING_UNIQUE_ID
+- PROVIDER
+- PROFILE
+- ACCOUNT_ID
+-  ACCOUNT_NAME
+-  ACCOUNT_EMAIL
+-  ACCOUNT_ARN
+-  ACCOUNT_ORG
+-  ACCOUNT_TAGS
+-  REGION
+-  CHECK_ID
+-  CHECK_TITLE
+-  CHECK_TYPE
+-  STATUS
+-  STATUS_EXTENDED
+-  SERVICE_NAME
+-  SUBSERVICE_NAME
+-  SEVERITY
+-  RESOURCE_ID
+-  RESOURCE_ARN
+-  RESOURCE_TYPE
+-  RESOURCE_DETAILS
+-  RESOURCE_TAGS
+-  DESCRIPTION
+-  COMPLIANCE
+-  RISK
+-  RELATED_URL
+-  REMEDIATION_RECOMMENDATION_TEXT
+-  REMEDIATION_RECOMMENDATION_URL
+-  REMEDIATION_RECOMMENDATION_CODE_NATIVEIAC
+-  REMEDIATION_RECOMMENDATION_CODE_TERRAFORM
+-  REMEDIATION_RECOMMENDATION_CODE_CLI
+-  REMEDIATION_RECOMMENDATION_CODE_OTHER
+-  CATEGORIES
+-  DEPENDS_ON
+-  RELATED_TO
+-  NOTES
+
+> Since Prowler v3 the CSV column delimiter is the semicolon (`;`)
 ### JSON
 
-```
+The following code is an example output of the JSON format:
+
+```json
 [{
     "AssessmentStartTime": "2022-12-01T14:16:57.354413",
     "FindingUniqueId": "",
@@ -111,7 +139,8 @@ Hereunder is the structure for each of the supported report formats by Prowler:
             "1.20"
         ]
     }
-},{
+},
+{
     "AssessmentStartTime": "2022-12-01T14:16:57.354413",
     "FindingUniqueId": "",
     "Provider": "aws",
@@ -148,17 +177,18 @@ Hereunder is the structure for each of the supported report formats by Prowler:
     },
     "Categories": [],
     "Notes": "",
-    "Compliance: {}
+    "Compliance": {}
 }]
 ```
 
-> NOTE: Each finding is a `json` object.
+> NOTE: Each finding is a `json` object within a list. This has changed in v3 since in v2 the format used was [ndjson](http://ndjson.org/).
+
 
 ### JSON-OCSF
 
 Based on [Open Cybersecurity Schema Framework Security Finding v1.0.0-rc.3](https://schema.ocsf.io/1.0.0-rc.3/classes/security_finding?extensions=)
 
-```
+```json
 [{
     "finding": {
         "title": "Check if ACM Certificates are about to expire in specific days or less",
@@ -415,7 +445,9 @@ Based on [Open Cybersecurity Schema Framework Security Finding v1.0.0-rc.3](http
 > NOTE: Each finding is a `json` object.
 ### JSON-ASFF
 
-```
+The following code is an example output of the [JSON-ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-syntax.html) format:
+
+```json
 [{
     "SchemaVersion": "2018-10-08",
     "Id": "prowler-rds_instance_minor_version_upgrade_enabled-ACCOUNT_ID-eu-west-1-b1ade474a",
@@ -543,4 +575,4 @@ Based on [Open Cybersecurity Schema Framework Security Finding v1.0.0-rc.3](http
 }]
 ```
 
-> NOTE: Each finding is a `json` object.
+> NOTE: Each finding is a `json` object within a list.

mkdocs.yml

@@ -37,8 +37,10 @@ nav:
       - Configuration File: tutorials/configuration_file.md
       - Logging: tutorials/logging.md
       - Allowlist: tutorials/allowlist.md
+      - Check Aliases: tutorials/check-aliases.md
+      - Ignore Unused Services: tutorials/ignore-unused-services.md
       - Pentesting: tutorials/pentesting.md
-      - Developer Guide: tutorials/developer-guide.md
+      - Developer Guide: developer-guide/introduction.md
       - AWS:
           - Authentication: tutorials/aws/authentication.md
           - Assume Role: tutorials/aws/role-assumption.md
@@ -46,6 +48,7 @@ nav:
           - AWS Organizations: tutorials/aws/organizations.md
           - AWS Regions and Partitions: tutorials/aws/regions-and-partitions.md
           - Scan Multiple AWS Accounts: tutorials/aws/multiaccount.md
+          - Send reports to AWS S3: tutorials/aws/s3.md
           - AWS CloudShell: tutorials/aws/cloudshell.md
           - Checks v2 to v3 Mapping: tutorials/aws/v2_to_v3_checks_mapping.md
           - Tag-based Scan: tutorials/aws/tag-based-scan.md
@@ -56,7 +59,18 @@ nav:
           - Subscriptions: tutorials/azure/subscriptions.md
       - Google Cloud:
           - Authentication: tutorials/gcp/authentication.md
-  - Developer Guide: tutorials/developer-guide.md
+  - Developer Guide:
+      - Introduction: developer-guide/introduction.md
+      - Audit Info: developer-guide/audit-info.md
+      - Services: developer-guide/services.md
+      - Checks: developer-guide/checks.md
+      - Documentation: developer-guide/documentation.md
+      - Compliance: developer-guide/security-compliance-framework.md
+      - Outputs: developer-guide/outputs.md
+      - Integrations: developer-guide/integrations.md
+      - Testing:
+          - Unit Tests: developer-guide/unit-testing.md
+          - Integration Tests: developer-guide/integration-testing.md
   - Security: security.md
   - Contact Us: contact.md
   - Troubleshooting: troubleshooting.md

permissions/create_role_to_assume_cfn.yaml

@@ -60,6 +60,7 @@ Resources:
                 - 'appstream:List*'
                 - 'codeartifact:List*'
                 - 'codebuild:BatchGet*'
+                - 'dlm:Get*'
                 - 'ds:Get*'
                 - 'ds:Describe*'
                 - 'ds:List*'

permissions/prowler-additions-policy.json

@@ -10,6 +10,7 @@
         "cloudtrail:GetInsightSelectors",
         "codeartifact:List*",
         "codebuild:BatchGet*",
+        "dlm:Get*",
         "drs:Describe*",
         "ds:Get*",
         "ds:Describe*",

prowler/__main__.py

@@ -4,6 +4,8 @@
 import os
 import sys
 
+from colorama import Fore, Style
+
 from prowler.lib.banner import print_banner
 from prowler.lib.check.check import (
     bulk_load_checks_metadata,
@@ -12,6 +14,7 @@ from prowler.lib.check.check import (
     exclude_services_to_run,
     execute_checks,
     list_categories,
+    list_checks_json,
     list_services,
     parse_checks_from_folder,
     print_categories,
@@ -28,17 +31,23 @@ from prowler.lib.logger import logger, set_logging_config
 from prowler.lib.outputs.compliance import display_compliance_table
 from prowler.lib.outputs.html import add_html_footer, fill_html_overview_statistics
 from prowler.lib.outputs.json import close_json
-from prowler.lib.outputs.outputs import extract_findings_statistics, send_to_s3_bucket
+from prowler.lib.outputs.outputs import extract_findings_statistics
 from prowler.lib.outputs.slack import send_slack_message
 from prowler.lib.outputs.summary_table import display_summary_table
+from prowler.providers.aws.aws_provider import get_available_aws_service_regions
+from prowler.providers.aws.lib.s3.s3 import send_to_s3_bucket
 from prowler.providers.aws.lib.security_hub.security_hub import (
+    batch_send_to_security_hub,
+    prepare_security_hub_findings,
     resolve_security_hub_previous_findings,
+    verify_security_hub_integration_enabled_per_region,
 )
 from prowler.providers.common.allowlist import set_provider_allowlist
 from prowler.providers.common.audit_info import (
     set_provider_audit_info,
     set_provider_execution_parameters,
 )
+from prowler.providers.common.clean import clean_provider_local_output_directories
 from prowler.providers.common.outputs import set_provider_output_options
 from prowler.providers.common.quick_inventory import run_provider_quick_inventory
 
@@ -113,6 +122,11 @@ def prowler():
         provider,
     )
 
+    # if --list-checks-json, dump a json file and exit
+    if args.list_checks_json:
+        print(list_checks_json(provider, sorted(checks_to_execute)))
+        sys.exit()
+
     # If -l/--list-checks passed as argument, print checks to execute and quit
     if args.list_checks:
         print_checks(provider, sorted(checks_to_execute), bulk_checks_metadata)
@@ -138,7 +152,8 @@ def prowler():
     # Once the audit_info is set and we have the eventual checks based on the resource identifier,
     # it is time to check what Prowler's checks are going to be executed
     if audit_info.audit_resources:
-        checks_to_execute = set_provider_execution_parameters(provider, audit_info)
+        checks_from_resources = set_provider_execution_parameters(provider, audit_info)
+        checks_to_execute = checks_to_execute.intersection(checks_from_resources)
 
     # Sort final check list
     checks_to_execute = sorted(checks_to_execute)
@@ -217,11 +232,51 @@ def prowler():
                     bucket_session,
                 )
 
-    # Resolve previous fails of Security Hub
-    if provider == "aws" and args.security_hub and not args.skip_sh_update:
-        resolve_security_hub_previous_findings(
-            args.output_directory, args.output_filename, audit_info
+    # AWS Security Hub Integration
+    if provider == "aws" and args.security_hub:
+        print(
+            f"{Style.BRIGHT}\nSending findings to AWS Security Hub, please wait...{Style.RESET_ALL}"
         )
+        # Verify where AWS Security Hub is enabled
+        aws_security_enabled_regions = []
+        security_hub_regions = (
+            get_available_aws_service_regions("securityhub", audit_info)
+            if not audit_info.audited_regions
+            else audit_info.audited_regions
+        )
+        for region in security_hub_regions:
+            # Save the regions where AWS Security Hub is enabled
+            if verify_security_hub_integration_enabled_per_region(
+                region, audit_info.audit_session
+            ):
+                aws_security_enabled_regions.append(region)
+
+        # Prepare the findings to be sent to Security Hub
+        security_hub_findings_per_region = prepare_security_hub_findings(
+            findings, audit_info, audit_output_options, aws_security_enabled_regions
+        )
+
+        # Send the findings to Security Hub
+        findings_sent_to_security_hub = batch_send_to_security_hub(
+            security_hub_findings_per_region, audit_info.audit_session
+        )
+
+        print(
+            f"{Style.BRIGHT}{Fore.GREEN}\n{findings_sent_to_security_hub} findings sent to AWS Security Hub!{Style.RESET_ALL}"
+        )
+
+        # Resolve previous fails of Security Hub
+        if not args.skip_sh_update:
+            print(
+                f"{Style.BRIGHT}\nArchiving previous findings in AWS Security Hub, please wait...{Style.RESET_ALL}"
+            )
+            findings_archived_in_security_hub = resolve_security_hub_previous_findings(
+                security_hub_findings_per_region,
+                audit_info,
+            )
+            print(
+                f"{Style.BRIGHT}{Fore.GREEN}\n{findings_archived_in_security_hub} findings archived in AWS Security Hub!{Style.RESET_ALL}"
+            )
 
     # Display summary table
     if not args.only_logs:
@@ -247,6 +302,9 @@ def prowler():
     if checks_folder:
         remove_custom_checks_module(checks_folder, provider)
 
+    # clean local directories
+    clean_provider_local_output_directories(args)
+
     # If there are failed findings exit code 3, except if -z is input
     if not args.ignore_exit_code_3 and stats["total_fail"] > 0:
         sys.exit(3)

prowler/compliance/aws/aws_foundational_security_best_practices_aws.json

@@ -46,11 +46,11 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
-        "apigateway_client_certificate_enabled",
-        "apigateway_waf_acl_attached",
-        "apigatewayv2_authorizers_enabled",
-        "apigatewayv2_access_logging_enabled"
+        "apigateway_restapi_logging_enabled",
+        "apigateway_restapi_client_certificate_enabled",
+        "apigateway_restapi_waf_acl_attached",
+        "apigatewayv2_api_authorizers_enabled",
+        "apigatewayv2_api_access_logging_enabled"
       ]
     },
     {
@@ -367,9 +367,11 @@
         "iam_user_mfa_enabled_console_access",
         "iam_root_hardware_mfa_enabled",
         "iam_password_policy_minimum_length_14",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "iam_aws_attached_policy_no_administrative_privileges",
-        "iam_customer_attached_policy_no_administrative_privileges"
+        "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges"
       ]
     },
     {

prowler/compliance/aws/aws_well_architected_framework_reliability_pillar_aws.json

@@ -44,8 +44,8 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
-        "apigatewayv2_access_logging_enabled",
+        "apigateway_restapi_logging_enabled",
+        "apigatewayv2_api_access_logging_enabled",
         "awslambda_function_invoke_api_operations_cloudtrail_logging_enabled",
         "cloudtrail_cloudwatch_logging_enabled",
         "elb_logging_enabled",

prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json

@@ -346,6 +346,7 @@
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
         "iam_customer_unattached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "opensearch_service_domains_internal_user_database_enabled"
       ]
     },
@@ -434,7 +435,7 @@
         "appstream_fleet_session_idle_disconnect_timeout",
         "cloudwatch_log_group_retention_policy_specific_days_enabled",
         "codebuild_project_older_90_days",
-        "ec2_elastic_ip_unassgined",
+        "ec2_elastic_ip_unassigned",
         "ecr_repositories_lifecycle_policy_enabled",
         "elbv2_listeners_underneath",
         "iam_password_policy_expires_passwords_within_90_days_or_less"
@@ -476,7 +477,7 @@
         "s3_bucket_policy_public_write_access",
         "sagemaker_notebook_instance_without_direct_internet_access_configured",
         "appstream_fleet_default_internet_access_disabled",
-        "apigateway_endpoint_public",
+        "apigateway_restapi_public",
         "awslambda_function_url_cors_policy",
         "awslambda_function_url_public",
         "cloudtrail_logs_s3_bucket_is_not_publicly_accessible",
@@ -535,13 +536,13 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "opensearch_service_domains_audit_logging_enabled",
         "cloudtrail_cloudwatch_logging_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
         "acm_certificates_transparency_logs_enabled",
-        "apigatewayv2_access_logging_enabled",
+        "apigatewayv2_api_access_logging_enabled",
         "awslambda_function_invoke_api_operations_cloudtrail_logging_enabled",
         "cloudfront_distributions_logging_enabled",
         "cloudtrail_cloudwatch_logging_enabled",
@@ -660,7 +661,7 @@
       "Checks": [
         "opensearch_service_domains_not_publicly_accessible",
         "awslambda_function_not_publicly_accessible",
-        "apigateway_waf_acl_attached",
+        "apigateway_restapi_waf_acl_attached",
         "cloudfront_distributions_using_waf",
         "eks_control_plane_endpoint_access_restricted",
         "sagemaker_models_network_isolation_enabled",
@@ -692,8 +693,8 @@
         "ec2_ebs_public_snapshot",
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "sagemaker_notebook_instance_without_direct_internet_access_configured",
-        "apigateway_authorizers_enabled",
-        "apigatewayv2_authorizers_enabled",
+        "apigateway_restapi_authorizers_enabled",
+        "apigatewayv2_api_authorizers_enabled",
         "s3_bucket_acl_prohibited",
         "s3_bucket_no_mfa_delete"
       ]
@@ -769,7 +770,7 @@
       "Checks": [
         "guardduty_is_enabled",
         "vpc_flow_logs_enabled",
-        "apigateway_authorizers_enabled"
+        "apigateway_restapi_authorizers_enabled"
       ]
     },
     {
@@ -1136,7 +1137,7 @@
       "Checks": [
         "opensearch_service_domains_node_to_node_encryption_enabled",
         "opensearch_service_domains_https_communications_enforced",
-        "apigateway_client_certificate_enabled",
+        "apigateway_restapi_client_certificate_enabled",
         "cloudfront_distributions_field_level_encryption_enabled",
         "cloudfront_distributions_https_enabled",
         "cloudfront_distributions_using_deprecated_ssl_protocols",

prowler/compliance/aws/cis_1.4_aws.json

@@ -15,11 +15,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Manual",
-          "Description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.\n\nAn AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.",
+          "Description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.  An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.",
           "RationaleStatement": "If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers' and AWS' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.",
           "ImpactStatement": "",
-          "RemediationProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing ).\n\n1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/.\n2. On the navigation bar, choose your account name, and then choose `My Account`.\n3. On the `Account Settings` page, next to `Account Settings`, choose `Edit`.\n4. Next to the field that you need to update, choose `Edit`.\n5. After you have entered your changes, choose `Save changes`.\n6. After you have made your changes, choose `Done`.\n7. To edit your contact information, under `Contact Information`, choose `Edit`.\n8. For the fields that you want to change, type your updated information, and then choose `Update`.",
-          "AuditProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing )\n\n1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/.\n2. On the navigation bar, choose your account name, and then choose `My Account`.\n3. On the `Account Settings` page, review and verify the current details.\n4. Under `Contact Information`, review and verify the current details.",
+          "RemediationProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing ).  1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, next to `Account Settings`, choose `Edit`. 4. Next to the field that you need to update, choose `Edit`. 5. After you have entered your changes, choose `Save changes`. 6. After you have made your changes, choose `Done`. 7. To edit your contact information, under `Contact Information`, choose `Edit`. 8. For the fields that you want to change, type your updated information, and then choose `Update`.",
+          "AuditProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing )  1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, review and verify the current details. 4. Under `Contact Information`, review and verify the current details.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info"
         }
@@ -39,9 +39,9 @@
           "Description": "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.",
           "RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.",
           "ImpactStatement": "AWS will soon end support for SMS multi-factor authentication (MFA). New customers are not allowed to use this feature. We recommend that existing customers switch to one of the following alternative methods of MFA.",
-          "RemediationProcedure": "Perform the following to enable MFA:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/'\n2. In the left pane, select `Users`.\n3. In the `User Name` list, choose the name of the intended MFA user.\n4. Choose the `Security Credentials` tab, and then choose `Manage MFA Device`.\n5. In the `Manage MFA Device wizard`, choose `Virtual MFA` device, and then choose `Continue`.\n\n IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.\n\n6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).\n7. Determine whether the MFA app supports QR codes, and then do one of the following:\n\n - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.\n - In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.\n\n When you are finished, the virtual MFA device starts generating one-time passwords.\n\n8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second `one-time password` into the `MFA Code 2 box`.\n\n9. Click `Assign MFA`.",
-          "AuditProcedure": "Perform the following to determine if a MFA device is enabled for all IAM users having a console password:\n\n**From Console:**\n\n1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. In the left pane, select `Users` \n3. If the `MFA` or `Password age` columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click `Close`.\n4. Ensure that for each user where the `Password age` column shows a password age, the `MFA` column shows `Virtual`, `U2F Security Key`, or `Hardware`.\n\n**From Command Line:**\n\n1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status:\n```\n aws iam generate-credential-report\n```\n```\n aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8 \n```\n2. The output of this command will produce a table similar to the following:\n```\n user,password_enabled,mfa_active\n elise,false,false\n brandon,true,true\n rakesh,false,false\n helene,false,false\n paras,true,true\n anitha,false,false \n```\n3. For any column having `password_enabled` set to `true` , ensure `mfa_active` is also set to `true.`",
-          "AdditionalInformation": "**Forced IAM User Self-Service Remediation**\n\nAmazon has published a pattern that forces users to self-service setup MFA before they have access to their complete permissions set. Until they complete this step, they cannot access their full permissions. This pattern can be used on new AWS accounts. It can also be used on existing accounts - it is recommended users are given instructions and a grace period to accomplish MFA enrollment before active enforcement on existing AWS accounts.",
+          "RemediationProcedure": "Perform the following to enable MFA:  **From Console:**  1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/' 2. In the left pane, select `Users`. 3. In the `User Name` list, choose the name of the intended MFA user. 4. Choose the `Security Credentials` tab, and then choose `Manage MFA Device`. 5. In the `Manage MFA Device wizard`, choose `Virtual MFA` device, and then choose `Continue`.   IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.  6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following:   - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.  - In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.   When you are finished, the virtual MFA device starts generating one-time passwords.  8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second `one-time password` into the `MFA Code 2 box`.  9. Click `Assign MFA`.",
+          "AuditProcedure": "Perform the following to determine if a MFA device is enabled for all IAM users having a console password:  **From Console:**  1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left pane, select `Users`  3. If the `MFA` or `Password age` columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click `Close`. 4. Ensure that for each user where the `Password age` column shows a password age, the `MFA` column shows `Virtual`, `U2F Security Key`, or `Hardware`.  **From Command Line:**  1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status: ```  aws iam generate-credential-report ``` ```  aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8  ``` 2. The output of this command will produce a table similar to the following: ```  user,password_enabled,mfa_active  elise,false,false  brandon,true,true  rakesh,false,false  helene,false,false  paras,true,true  anitha,false,false  ``` 3. For any column having `password_enabled` set to `true` , ensure `mfa_active` is also set to `true.`",
+          "AdditionalInformation": "**Forced IAM User Self-Service Remediation**  Amazon has published a pattern that forces users to self-service setup MFA before they have access to their complete permissions set. Until they complete this step, they cannot access their full permissions. This pattern can be used on new AWS accounts. It can also be used on existing accounts - it is recommended users are given instructions and a grace period to accomplish MFA enrollment before active enforcement on existing AWS accounts.",
           "References": "https://tools.ietf.org/html/rfc6238:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users"
         }
       ]
@@ -57,11 +57,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require. \n\nProgrammatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. \n\nAWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.",
-          "RationaleStatement": "Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.\n\n**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.",
+          "Description": "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require.   Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.   AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.",
+          "RationaleStatement": "Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.  **Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to delete access keys that do not pass the audit:\n\n**From Console:**\n\n1. Login to the AWS Management Console:\n2. Click `Services` \n3. Click `IAM` \n4. Click on `Users` \n5. Click on `Security Credentials` \n6. As an Administrator \n - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.\n7. As an IAM User\n - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.\n\n**From Command Line:**\n```\naws iam delete-access-key --access-key-id <access-key-id-listed> --user-name <users-name>\n```",
-          "AuditProcedure": "Perform the following to determine if access keys were created upon user creation and are being used and rotated as prescribed:\n\n**From Console:**\n\n1. Login to the AWS Management Console\n2. Click `Services` \n3. Click `IAM` \n4. Click on a User where column `Password age` and `Access key age` is not set to `None`\n5. Click on `Security credentials` Tab\n6. Compare the user 'Creation time` to the Access Key `Created` date.\n6. For any that match, the key was created during initial user setup.\n\n- Keys that were created at the same time as the user profile and do not have a last used date should be deleted. Refer to the remediation below.\n\n**From Command Line:**\n\n1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization:\n```\n aws iam generate-credential-report\n```\n```\n aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16\n```\n2. The output of this command will produce a table similar to the following:\n```\nuser,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_date\n elise,false,true,2015-04-16T15:14:00+00:00,false,N/A\n brandon,true,true,N/A,false,N/A\n rakesh,false,false,N/A,false,N/A\n helene,false,true,2015-11-18T17:47:00+00:00,false,N/A\n paras,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00\n anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A \n```\n3. For any user having `password_enabled` set to `true` AND `access_key_last_used_date` set to `N/A` refer to the remediation below.",
+          "RemediationProcedure": "Perform the following to delete access keys that do not pass the audit:  **From Console:**  1. Login to the AWS Management Console: 2. Click `Services`  3. Click `IAM`  4. Click on `Users`  5. Click on `Security Credentials`  6. As an Administrator   - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User  - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.  **From Command Line:** ``` aws iam delete-access-key --access-key-id <access-key-id-listed> --user-name <users-name> ```",
+          "AuditProcedure": "Perform the following to determine if access keys were created upon user creation and are being used and rotated as prescribed:  **From Console:**  1. Login to the AWS Management Console 2. Click `Services`  3. Click `IAM`  4. Click on a User where column `Password age` and `Access key age` is not set to `None` 5. Click on `Security credentials` Tab 6. Compare the user 'Creation time` to the Access Key `Created` date. 6. For any that match, the key was created during initial user setup.  - Keys that were created at the same time as the user profile and do not have a last used date should be deleted. Refer to the remediation below.  **From Command Line:**  1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization: ```  aws iam generate-credential-report ``` ```  aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16 ``` 2. The output of this command will produce a table similar to the following: ``` user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_date  elise,false,true,2015-04-16T15:14:00+00:00,false,N/A  brandon,true,true,N/A,false,N/A  rakesh,false,false,N/A,false,N/A  helene,false,true,2015-11-18T17:47:00+00:00,false,N/A  paras,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00  anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A  ``` 3. For any user having `password_enabled` set to `true` AND `access_key_last_used_date` set to `N/A` refer to the remediation below.",
           "AdditionalInformation": "Credential report does not appear to contain \"Key Creation Date\"",
           "References": "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html"
         }
@@ -71,7 +71,8 @@
       "Id": "1.12",
       "Description": "Ensure credentials unused for 45 days or greater are disabled",
       "Checks": [
-        "iam_disable_45_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ],
       "Attributes": [
         {
@@ -81,8 +82,8 @@
           "Description": "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.",
           "RationaleStatement": "Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\nPerform the following to manage Unused Password (IAM user console access)\n\n1. Login to the AWS Management Console:\n2. Click `Services` \n3. Click `IAM` \n4. Click on `Users` \n5. Click on `Security Credentials` \n6. Select user whose `Console last sign-in` is greater than 45 days\n7. Click `Security credentials`\n8. In section `Sign-in credentials`, `Console password` click `Manage` \n9. Under Console Access select `Disable`\n10.Click `Apply`\n\nPerform the following to deactivate Access Keys:\n\n1. Login to the AWS Management Console:\n2. Click `Services` \n3. Click `IAM` \n4. Click on `Users` \n5. Click on `Security Credentials` \n6. Select any access keys that are over 45 days old and that have been used and \n - Click on `Make Inactive`\n7. Select any access keys that are over 45 days old and that have not been used and \n - Click the X to `Delete`",
-          "AuditProcedure": "Perform the following to determine if unused credentials exist:\n\n**From Console:**\n\n1. Login to the AWS Management Console\n2. Click `Services` \n3. Click `IAM`\n4. Click on `Users`\n5. Click the `Settings` (gear) icon.\n6. Select `Console last sign-in`, `Access key last used`, and `Access Key Id`\n7. Click on `Close` \n8. Check and ensure that `Console last sign-in` is less than 45 days ago.\n\n**Note** - `Never` means the user has never logged in.\n\n9. Check and ensure that `Access key age` is less than 45 days and that `Access key last used` does not say `None`\n\nIf the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.\n\n**From Command Line:**\n\n**Download Credential Report:**\n\n1. Run the following commands:\n```\n aws iam generate-credential-report\n\n aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^<root_account>'\n```\n\n**Ensure unused credentials do not exist:**\n\n2. For each user having `password_enabled` set to `TRUE` , ensure `password_last_used_date` is less than `45` days ago.\n\n- When `password_enabled` is set to `TRUE` and `password_last_used` is set to `No_Information` , ensure `password_last_changed` is less than 45 days ago.\n\n3. For each user having an `access_key_1_active` or `access_key_2_active` to `TRUE` , ensure the corresponding `access_key_n_last_used_date` is less than `45` days ago.\n\n- When a user having an `access_key_x_active` (where x is 1 or 2) to `TRUE` and corresponding access_key_x_last_used_date is set to `N/A', ensure `access_key_x_last_rotated` is less than 45 days ago.",
+          "RemediationProcedure": "**From Console:**  Perform the following to manage Unused Password (IAM user console access)  1. Login to the AWS Management Console: 2. Click `Services`  3. Click `IAM`  4. Click on `Users`  5. Click on `Security Credentials`  6. Select user whose `Console last sign-in` is greater than 45 days 7. Click `Security credentials` 8. In section `Sign-in credentials`, `Console password` click `Manage`  9. Under Console Access select `Disable` 10.Click `Apply`  Perform the following to deactivate Access Keys:  1. Login to the AWS Management Console: 2. Click `Services`  3. Click `IAM`  4. Click on `Users`  5. Click on `Security Credentials`  6. Select any access keys that are over 45 days old and that have been used and   - Click on `Make Inactive` 7. Select any access keys that are over 45 days old and that have not been used and   - Click the X to `Delete`",
+          "AuditProcedure": "Perform the following to determine if unused credentials exist:  **From Console:**  1. Login to the AWS Management Console 2. Click `Services`  3. Click `IAM` 4. Click on `Users` 5. Click the `Settings` (gear) icon. 6. Select `Console last sign-in`, `Access key last used`, and `Access Key Id` 7. Click on `Close`  8. Check and ensure that `Console last sign-in` is less than 45 days ago.  **Note** - `Never` means the user has never logged in.  9. Check and ensure that `Access key age` is less than 45 days and that `Access key last used` does not say `None`  If the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.  **From Command Line:**  **Download Credential Report:**  1. Run the following commands: ```  aws iam generate-credential-report   aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^<root_account>' ```  **Ensure unused credentials do not exist:**  2. For each user having `password_enabled` set to `TRUE` , ensure `password_last_used_date` is less than `45` days ago.  - When `password_enabled` is set to `TRUE` and `password_last_used` is set to `No_Information` , ensure `password_last_changed` is less than 45 days ago.  3. For each user having an `access_key_1_active` or `access_key_2_active` to `TRUE` , ensure the corresponding `access_key_n_last_used_date` is less than `45` days ago.  - When a user having an `access_key_x_active` (where x is 1 or 2) to `TRUE` and corresponding access_key_x_last_used_date is set to `N/A', ensure `access_key_x_last_rotated` is less than 45 days ago.",
           "AdditionalInformation": "<root_account> is excluded in the audit since the root account should not be used for day to day business and would likely be unused for more than 45 days.",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html"
         }
@@ -102,8 +103,8 @@
           "Description": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)",
           "RationaleStatement": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`.\n2. In the left navigation panel, choose `Users`.\n3. Click on the IAM user name that you want to examine.\n4. On the IAM user configuration page, select `Security Credentials` tab.\n5. In `Access Keys` section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.\n6. In the same `Access Keys` section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the `Make Inactive` link.\n7. If you receive the `Change Key Status` confirmation box, click `Deactivate` to switch off the selected key.\n8. Repeat steps no. 3 – 7 for each IAM user in your AWS account.\n\n**From Command Line:**\n\n1. Using the IAM user and access key information provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.\n\n2. Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user\n\n**Note** - the command does not return any output:\n```\naws iam update-access-key --access-key-id <access-key-id> --status Inactive --user-name <user-name>\n```\n3. To confirm that the selected access key pair has been successfully `deactivated` run the `list-access-keys` audit command again for that IAM User:\n```\naws iam list-access-keys --user-name <user-name>\n```\n- The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.\n\n4. Repeat steps no. 1 – 3 for each IAM user in your AWS account.",
-          "AuditProcedure": "**From Console:**\n\n1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`.\n2. In the left navigation panel, choose `Users`.\n3. Click on the IAM user name that you want to examine.\n4. On the IAM user configuration page, select `Security Credentials` tab.\n5. Under `Access Keys` section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated then the users access configuration does not adhere to security best practices and the risk of accidental exposures increases.\n- Repeat steps no. 3 – 5 for each IAM user in your AWS account.\n\n**From Command Line:**\n\n1. Run `list-users` command to list all IAM users within your account:\n```\naws iam list-users --query \"Users[*].UserName\"\n```\nThe command output should return an array that contains all your IAM user names.\n\n2. Run `list-access-keys` command using the IAM user name list to return the current status of each access key associated with the selected IAM user:\n```\naws iam list-access-keys --user-name <user-name>\n```\nThe command output should expose the metadata `(\"Username\", \"AccessKeyId\", \"Status\", \"CreateDate\")` for each access key on that user account.\n\n3. Check the `Status` property value for each key returned to determine each keys current state. If the `Status` property value for more than one IAM access key is set to `Active`, the user access configuration does not adhere to this recommendation, refer to the remediation below.\n\n- Repeat steps no. 2 and 3 for each IAM user in your AWS account.",
+          "RemediationProcedure": "**From Console:**  1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. In `Access Keys` section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working. 6. In the same `Access Keys` section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the `Make Inactive` link. 7. If you receive the `Change Key Status` confirmation box, click `Deactivate` to switch off the selected key. 8. Repeat steps no. 3 – 7 for each IAM user in your AWS account.  **From Command Line:**  1. Using the IAM user and access key information provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.  2. Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user  **Note** - the command does not return any output: ``` aws iam update-access-key --access-key-id <access-key-id> --status Inactive --user-name <user-name> ``` 3. To confirm that the selected access key pair has been successfully `deactivated` run the `list-access-keys` audit command again for that IAM User: ``` aws iam list-access-keys --user-name <user-name> ``` - The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.  4. Repeat steps no. 1 – 3 for each IAM user in your AWS account.",
+          "AuditProcedure": "**From Console:**  1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. Under `Access Keys` section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated then the users access configuration does not adhere to security best practices and the risk of accidental exposures increases. - Repeat steps no. 3 – 5 for each IAM user in your AWS account.  **From Command Line:**  1. Run `list-users` command to list all IAM users within your account: ``` aws iam list-users --query \"Users[*].UserName\" ``` The command output should return an array that contains all your IAM user names.  2. Run `list-access-keys` command using the IAM user name list to return the current status of each access key associated with the selected IAM user: ``` aws iam list-access-keys --user-name <user-name> ``` The command output should expose the metadata `(\"Username\", \"AccessKeyId\", \"Status\", \"CreateDate\")` for each access key on that user account.  3. Check the `Status` property value for each key returned to determine each keys current state. If the `Status` property value for more than one IAM access key is set to `Active`, the user access configuration does not adhere to this recommendation, refer to the remediation below.  - Repeat steps no. 2 and 3 for each IAM user in your AWS account.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html"
         }
@@ -121,10 +122,10 @@
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
           "Description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.",
-          "RationaleStatement": "Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.\n\nAccess keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.",
+          "RationaleStatement": "Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.  Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to rotate access keys:\n\n**From Console:**\n\n1. Go to Management Console (https://console.aws.amazon.com/iam)\n2. Click on `Users`\n3. Click on `Security Credentials` \n4. As an Administrator \n - Click on `Make Inactive` for keys that have not been rotated in `90` Days\n5. As an IAM User\n - Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days\n6. Click on `Create Access Key` \n7. Update programmatic call with new Access Key credentials\n\n**From Command Line:**\n\n1. While the first access key is still active, create a second access key, which is active by default. Run the following command:\n```\naws iam create-access-key\n```\n\nAt this point, the user has two active access keys.\n\n2. Update all applications and tools to use the new access key.\n3. Determine whether the first access key is still in use by using this command:\n```\naws iam get-access-key-last-used\n```\n4. One approach is to wait several days and then check the old access key for any use before proceeding.\n\nEven if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command:\n```\naws iam update-access-key\n```\n5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.\n\n6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command:\n```\naws iam delete-access-key\n```",
-          "AuditProcedure": "Perform the following to determine if access keys are rotated as prescribed:\n\n**From Console:**\n\n1. Go to Management Console (https://console.aws.amazon.com/iam)\n2. Click on `Users`\n3. Click `setting` icon\n4. Select `Console last sign-in`\n5. Click `Close`\n6. Ensure that `Access key age` is less than 90 days ago. note) `None` in the `Access key age` means the user has not used the access key.\n\n**From Command Line:**\n\n```\naws iam generate-credential-report\naws iam get-credential-report --query 'Content' --output text | base64 -d\n```\nThe `access_key_1_last_rotated` field in this file notes The date and time, in ISO 8601 date-time format, when the user's access key was created or last changed. If the user does not have an active access key, the value in this field is N/A (not applicable).",
+          "RemediationProcedure": "Perform the following to rotate access keys:  **From Console:**  1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click on `Security Credentials`  4. As an Administrator   - Click on `Make Inactive` for keys that have not been rotated in `90` Days 5. As an IAM User  - Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days 6. Click on `Create Access Key`  7. Update programmatic call with new Access Key credentials  **From Command Line:**  1. While the first access key is still active, create a second access key, which is active by default. Run the following command: ``` aws iam create-access-key ```  At this point, the user has two active access keys.  2. Update all applications and tools to use the new access key. 3. Determine whether the first access key is still in use by using this command: ``` aws iam get-access-key-last-used ``` 4. One approach is to wait several days and then check the old access key for any use before proceeding.  Even if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command: ``` aws iam update-access-key ``` 5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.  6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command: ``` aws iam delete-access-key ```",
+          "AuditProcedure": "Perform the following to determine if access keys are rotated as prescribed:  **From Console:**  1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click `setting` icon 4. Select `Console last sign-in` 5. Click `Close` 6. Ensure that `Access key age` is less than 90 days ago. note) `None` in the `Access key age` means the user has not used the access key.  **From Command Line:**  ``` aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d ``` The `access_key_1_last_rotated` field in this file notes The date and time, in ISO 8601 date-time format, when the user's access key was created or last changed. If the user does not have an active access key, the value in this field is N/A (not applicable).",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html"
         }
@@ -141,11 +142,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. \n\nOnly the third implementation is recommended.",
+          "Description": "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy.   Only the third implementation is recommended.",
           "RationaleStatement": "Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to create an IAM group and assign a policy to it:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. In the navigation pane, click `Groups` and then click `Create New Group` .\n3. In the `Group Name` box, type the name of the group and then click `Next Step` .\n4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step` .\n5. Click `Create Group` \n\nPerform the following to add a user to a given group:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. In the navigation pane, click `Groups` \n3. Select the group to add a user to\n4. Click `Add Users To Group` \n5. Select the users to be added to the group\n6. Click `Add Users` \n\nPerform the following to remove a direct association between a user and policy:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. In the left navigation pane, click on Users\n3. For each user:\n - Select the user\n - Click on the `Permissions` tab\n - Expand `Permissions policies` \n - Click `X` for each policy; then click Detach or Remove (depending on policy type)",
-          "AuditProcedure": "Perform the following to determine if an inline policy is set or a policy is directly attached to users:\n\n1. Run the following to get a list of IAM users:\n```\n aws iam list-users --query 'Users[*].UserName' --output text \n```\n2. For each user returned, run the following command to determine if any policies are attached to them:\n```\n aws iam list-attached-user-policies --user-name <iam_user>\n aws iam list-user-policies --user-name <iam_user> \n```\n3. If any policies are returned, the user has an inline policy or direct policy attachment.",
+          "RemediationProcedure": "Perform the following to create an IAM group and assign a policy to it:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups` and then click `Create New Group` . 3. In the `Group Name` box, type the name of the group and then click `Next Step` . 4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step` . 5. Click `Create Group`   Perform the following to add a user to a given group:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups`  3. Select the group to add a user to 4. Click `Add Users To Group`  5. Select the users to be added to the group 6. Click `Add Users`   Perform the following to remove a direct association between a user and policy:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left navigation pane, click on Users 3. For each user:  - Select the user  - Click on the `Permissions` tab  - Expand `Permissions policies`   - Click `X` for each policy; then click Detach or Remove (depending on policy type)",
+          "AuditProcedure": "Perform the following to determine if an inline policy is set or a policy is directly attached to users:  1. Run the following to get a list of IAM users: ```  aws iam list-users --query 'Users[*].UserName' --output text  ``` 2. For each user returned, run the following command to determine if any policies are attached to them: ```  aws iam list-attached-user-policies --user-name <iam_user>  aws iam list-user-policies --user-name <iam_user>  ``` 3. If any policies are returned, the user has an inline policy or direct policy attachment.",
           "AdditionalInformation": "",
           "References": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html"
         }
@@ -164,10 +165,10 @@
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
           "Description": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant _least privilege_ -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform _only_ those tasks, instead of allowing full administrative privileges.",
-          "RationaleStatement": "It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.\n\nProviding full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.\n\nIAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"\\*\" over \"Resource\": \"\\*\" should be removed.",
+          "RationaleStatement": "It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.  Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.  IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"\\*\" over \"Resource\": \"\\*\" should be removed.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\nPerform the following to detach the policy that has full administrative privileges:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. In the navigation pane, click Policies and then search for the policy name found in the audit step.\n3. Select the policy that needs to be deleted.\n4. In the policy action menu, select first `Detach` \n5. Select all Users, Groups, Roles that have this policy attached\n6. Click `Detach Policy` \n7. In the policy action menu, select `Detach` \n\n**From Command Line:**\n\nPerform the following to detach the policy that has full administrative privileges as found in the audit step:\n\n1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.\n\n```\n aws iam list-entities-for-policy --policy-arn <policy_arn>\n```\n2. Detach the policy from all IAM Users:\n```\n aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>\n```\n3. Detach the policy from all IAM Groups:\n```\n aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>\n```\n4. Detach the policy from all IAM Roles:\n```\n aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>\n```",
-          "AuditProcedure": "Perform the following to determine what policies are created:\n\n**From Command Line:**\n\n1. Run the following to get a list of IAM policies:\n```\n aws iam list-policies --only-attached --output text\n```\n2. For each policy returned, run the following command to determine if any policies is allowing full administrative privileges on the account:\n```\n aws iam get-policy-version --policy-arn <policy_arn> --version-id <version>\n```\n3. In output ensure policy should not have any Statement block with `\"Effect\": \"Allow\"` and `Action` set to `\"*\"` and `Resource` set to `\"*\"`",
+          "RemediationProcedure": "**From Console:**  Perform the following to detach the policy that has full administrative privileges:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click Policies and then search for the policy name found in the audit step. 3. Select the policy that needs to be deleted. 4. In the policy action menu, select first `Detach`  5. Select all Users, Groups, Roles that have this policy attached 6. Click `Detach Policy`  7. In the policy action menu, select `Detach`   **From Command Line:**  Perform the following to detach the policy that has full administrative privileges as found in the audit step:  1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.  ```  aws iam list-entities-for-policy --policy-arn <policy_arn> ``` 2. Detach the policy from all IAM Users: ```  aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn> ``` 3. Detach the policy from all IAM Groups: ```  aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn> ``` 4. Detach the policy from all IAM Roles: ```  aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn> ```",
+          "AuditProcedure": "Perform the following to determine what policies are created:  **From Command Line:**  1. Run the following to get a list of IAM policies: ```  aws iam list-policies --only-attached --output text ``` 2. For each policy returned, run the following command to determine if any policies is allowing full administrative privileges on the account: ```  aws iam get-policy-version --policy-arn <policy_arn> --version-id <version> ``` 3. In output ensure policy should not have any Statement block with `\"Effect\": \"Allow\"` and `Action` set to `\"*\"` and `Resource` set to `\"*\"`",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam"
         }
@@ -187,8 +188,8 @@
           "Description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.",
           "RationaleStatement": "By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.",
           "ImpactStatement": "All AWS Support plans include an unlimited number of account and billing support cases, with no long-term contracts. Support billing calculations are performed on a per-account basis for all plans. Enterprise Support plan customers have the option to include multiple enabled accounts in an aggregated monthly billing calculation. Monthly charges for the Business and Enterprise support plans are based on each month's AWS usage charges, subject to a monthly minimum, billed in advance.",
-          "RemediationProcedure": "**From Command Line:**\n\n1. Create an IAM role for managing incidents with AWS:\n - Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:\n```\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"<iam_user>\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n }\n```\n2. Create the IAM role using the above trust policy:\n```\naws iam create-role --role-name <aws_support_iam_role> --assume-role-policy-document file:///tmp/TrustPolicy.json\n```\n3. Attach 'AWSSupportAccess' managed policy to the created IAM role:\n```\naws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name <aws_support_iam_role>\n```",
-          "AuditProcedure": "**From Command Line:**\n\n1. List IAM policies, filter for the 'AWSSupportAccess' managed policy, and note the \"Arn\" element value:\n```\naws iam list-policies --query \"Policies[?PolicyName == 'AWSSupportAccess']\"\n```\n2. Check if the 'AWSSupportAccess' policy is attached to any role:\n\n```\naws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess\n```\n\n3. In Output, Ensure `PolicyRoles` does not return empty. 'Example: Example: PolicyRoles: [ ]'\n\nIf it returns empty refer to the remediation below.",
+          "RemediationProcedure": "**From Command Line:**  1. Create an IAM role for managing incidents with AWS:  - Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json: ```  {  \"Version\": \"2012-10-17\",  \"Statement\": [  {  \"Effect\": \"Allow\",  \"Principal\": {  \"AWS\": \"<iam_user>\"  },  \"Action\": \"sts:AssumeRole\"  }  ]  } ``` 2. Create the IAM role using the above trust policy: ``` aws iam create-role --role-name <aws_support_iam_role> --assume-role-policy-document file:///tmp/TrustPolicy.json ``` 3. Attach 'AWSSupportAccess' managed policy to the created IAM role: ``` aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name <aws_support_iam_role> ```",
+          "AuditProcedure": "**From Command Line:**  1. List IAM policies, filter for the 'AWSSupportAccess' managed policy, and note the \"Arn\" element value: ``` aws iam list-policies --query \"Policies[?PolicyName == 'AWSSupportAccess']\" ``` 2. Check if the 'AWSSupportAccess' policy is attached to any role:  ``` aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess ```  3. In Output, Ensure `PolicyRoles` does not return empty. 'Example: Example: PolicyRoles: [ ]'  If it returns empty refer to the remediation below.",
           "AdditionalInformation": "AWSSupportAccess policy is a global AWS resource. It has same ARN as `arn:aws:iam::aws:policy/AWSSupportAccess` for every account.",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://aws.amazon.com/premiumsupport/pricing/:https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html:https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html:https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html"
         }
@@ -206,10 +207,10 @@
           "Profile": "Level 2",
           "AssessmentStatus": "Manual",
           "Description": "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.",
-          "RationaleStatement": "AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.\n\nAdditionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.",
+          "RationaleStatement": "AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.  Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.",
           "ImpactStatement": "",
-          "RemediationProcedure": "IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create a new instance.\n\nIf the instance has no external dependencies on its current private ip or public addresses are elastic IPs:\n\n1. In AWS IAM create a new role. Assign a permissions policy if needed permissions are already known.\n2. In the AWS console launch a new instance with identical settings to the existing instance, and ensure that the newly created role is selected.\n3. Shutdown both the existing instance and the new instance.\n4. Detach disks from both instances.\n5. Attach the existing instance disks to the new instance.\n6. Boot the new instance and you should have the same machine, but with the associated role.\n\n**Note:** if your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance, destroy the old one and then when launching from the AMI, manually assign the previous private IP address.\n\n**Note: **if your environment has dependencies on a dynamically assigned PUBLIC IP address there is not a way ensure the address is retained and assign an instance role. Dependencies on dynamically assigned public IP addresses are a bad practice and, if possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.",
-          "AuditProcedure": "Where an instance is associated with a Role:\n\nFor instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions:\n\n1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)\n2. Open the EC2 Dashboard and choose \"Instances\"\n3. Click the EC2 instance that performs AWS actions, in the lower pane details find \"IAM Role\"\n4. If the Role is blank, the instance is not assigned to one.\n5. If the Role is filled in, it does not mean the instance might not \\*also\\* have credentials encoded on it for some activities.\n\nWhere an Instance Contains Embedded Credentials:\n\n- On the instance that is known to perform AWS actions, audit all scripts and environment variables to ensure that none of them contain AWS credentials.\n\nWhere an Instance Application Contains Embedded Credentials:\n\n- Applications that run on an instance may also have credentials embedded. This is a bad practice, but even worse if the source code is stored in a public code repository such as github. When an application contains credentials can be determined by eliminating all other sources of credentials and if the application can still access AWS resources - it likely contains embedded credentials. Another method is to examine all source code and configuration files of the application.",
+          "RemediationProcedure": "IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create a new instance.  If the instance has no external dependencies on its current private ip or public addresses are elastic IPs:  1. In AWS IAM create a new role. Assign a permissions policy if needed permissions are already known. 2. In the AWS console launch a new instance with identical settings to the existing instance, and ensure that the newly created role is selected. 3. Shutdown both the existing instance and the new instance. 4. Detach disks from both instances. 5. Attach the existing instance disks to the new instance. 6. Boot the new instance and you should have the same machine, but with the associated role.  **Note:** if your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance, destroy the old one and then when launching from the AMI, manually assign the previous private IP address.  **Note: **if your environment has dependencies on a dynamically assigned PUBLIC IP address there is not a way ensure the address is retained and assign an instance role. Dependencies on dynamically assigned public IP addresses are a bad practice and, if possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.",
+          "AuditProcedure": "Where an instance is associated with a Role:  For instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions:  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Open the EC2 Dashboard and choose \"Instances\" 3. Click the EC2 instance that performs AWS actions, in the lower pane details find \"IAM Role\" 4. If the Role is blank, the instance is not assigned to one. 5. If the Role is filled in, it does not mean the instance might not \\*also\\* have credentials encoded on it for some activities.  Where an Instance Contains Embedded Credentials:  - On the instance that is known to perform AWS actions, audit all scripts and environment variables to ensure that none of them contain AWS credentials.  Where an Instance Application Contains Embedded Credentials:  - Applications that run on an instance may also have credentials embedded. This is a bad practice, but even worse if the source code is stored in a public code repository such as github. When an application contains credentials can be determined by eliminating all other sources of credentials and if the application can still access AWS resources - it likely contains embedded credentials. Another method is to examine all source code and configuration files of the application.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html"
         }
@@ -226,11 +227,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. \nUse IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.",
+          "Description": "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates.  Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.",
           "RationaleStatement": "Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.",
-          "ImpactStatement": "Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc.\nOne has to make configurations at respective services to ensure there is no interruption in application functionality.",
-          "RemediationProcedure": "**From Console:**\n\nRemoving expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\n**From Command Line:**\n\nTo delete Expired Certificate run following command by replacing <CERTIFICATE_NAME> with the name of the certificate to delete:\n\n```\naws iam delete-server-certificate --server-certificate-name <CERTIFICATE_NAME>\n```\n\nWhen the preceding command is successful, it does not return any output.",
-          "AuditProcedure": "**From Console:**\n\nGetting the certificates expiration information via AWS Management Console is not currently supported. \nTo request information about the SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\n**From Command Line:**\n\nRun list-server-certificates command to list all the IAM-stored server certificates:\n\n```\naws iam list-server-certificates\n```\n\nThe command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc):\n\n```\n{\n \"ServerCertificateMetadataList\": [\n {\n \"ServerCertificateId\": \"EHDGFRW7EJFYTE88D\",\n \"ServerCertificateName\": \"MyServerCertificate\",\n \"Expiration\": \"2018-07-10T23:59:59Z\",\n \"Path\": \"/\",\n \"Arn\": \"arn:aws:iam::012345678910:server-certificate/MySSLCertificate\",\n \"UploadDate\": \"2018-06-10T11:56:08Z\"\n }\n ]\n}\n```\n\nVerify the `ServerCertificateName` and `Expiration` parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM. If so, use the AWS API to remove them.\n\nIf this command returns:\n```\n{ { \"ServerCertificateMetadataList\": [] }\n```\nThis means that there are no expired certificates, It DOES NOT mean that no certificates exist.",
+          "ImpactStatement": "Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc. One has to make configurations at respective services to ensure there is no interruption in application functionality.",
+          "RemediationProcedure": "**From Console:**  Removing expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).  **From Command Line:**  To delete Expired Certificate run following command by replacing <CERTIFICATE_NAME> with the name of the certificate to delete:  ``` aws iam delete-server-certificate --server-certificate-name <CERTIFICATE_NAME> ```  When the preceding command is successful, it does not return any output.",
+          "AuditProcedure": "**From Console:**  Getting the certificates expiration information via AWS Management Console is not currently supported.  To request information about the SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).  **From Command Line:**  Run list-server-certificates command to list all the IAM-stored server certificates:  ``` aws iam list-server-certificates ```  The command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc):  ``` {  \"ServerCertificateMetadataList\": [  {  \"ServerCertificateId\": \"EHDGFRW7EJFYTE88D\",  \"ServerCertificateName\": \"MyServerCertificate\",  \"Expiration\": \"2018-07-10T23:59:59Z\",  \"Path\": \"/\",  \"Arn\": \"arn:aws:iam::012345678910:server-certificate/MySSLCertificate\",  \"UploadDate\": \"2018-06-10T11:56:08Z\"  }  ] } ```  Verify the `ServerCertificateName` and `Expiration` parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM. If so, use the AWS API to remove them.  If this command returns: ``` { { \"ServerCertificateMetadataList\": [] } ``` This means that there are no expired certificates, It DOES NOT mean that no certificates exist.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html:https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html"
         }
@@ -250,8 +251,8 @@
           "Description": "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided.",
           "RationaleStatement": "Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to establish security contact information:\n\n**From Console:**\n\n1. Click on your account name at the top right corner of the console.\n2. From the drop-down menu Click `My Account` \n3. Scroll down to the `Alternate Contacts` section\n4. Enter contact information in the `Security` section\n\n**Note:** Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual.",
-          "AuditProcedure": "Perform the following to determine if security contact information is present:\n\n**From Console:**\n\n1. Click on your account name at the top right corner of the console\n2. From the drop-down menu Click `My Account` \n3. Scroll down to the `Alternate Contacts` section\n4. Ensure contact information is specified in the `Security` section",
+          "RemediationProcedure": "Perform the following to establish security contact information:  **From Console:**  1. Click on your account name at the top right corner of the console. 2. From the drop-down menu Click `My Account`  3. Scroll down to the `Alternate Contacts` section 4. Enter contact information in the `Security` section  **Note:** Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual.",
+          "AuditProcedure": "Perform the following to determine if security contact information is present:  **From Console:**  1. Click on your account name at the top right corner of the console 2. From the drop-down menu Click `My Account`  3. Scroll down to the `Alternate Contacts` section 4. Ensure contact information is specified in the `Security` section",
           "AdditionalInformation": "",
           "References": ""
         }
@@ -268,11 +269,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "Enable IAM Access analyzer for IAM policies about all resources in each region.\n\nIAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access.\nAccess Analyzer analyzes only policies that are applied to resources in the same AWS Region.",
+          "Description": "Enable IAM Access analyzer for IAM policies about all resources in each region.  IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region.",
           "RationaleStatement": "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\nPerform the following to enable IAM Access analyzer for IAM policies:\n\n1. Open the IAM console at `https://console.aws.amazon.com/iam/.`\n2. Choose `Access analyzer`.\n3. Choose `Create analyzer`.\n4. On the `Create analyzer` page, confirm that the `Region` displayed is the Region where you want to enable Access Analyzer.\n5. Enter a name for the analyzer. `Optional as it will generate a name for you automatically`.\n6. Add any tags that you want to apply to the analyzer. `Optional`. \n7. Choose `Create Analyzer`.\n8. Repeat these step for each active region\n\n**From Command Line:**\n\nRun the following command:\n```\naws accessanalyzer create-analyzer --analyzer-name <NAME> --type <ACCOUNT|ORGANIZATION>\n```\nRepeat this command above for each active region.\n\n**Note:** The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.",
-          "AuditProcedure": "**From Console:**\n\n1. Open the IAM console at `https://console.aws.amazon.com/iam/`\n2. Choose `Access analyzer`\n3. Click 'Analyzers'\n4. Ensure that at least one analyzer is present\n5. Ensure that the `STATUS` is set to `Active`\n6. Repeat these step for each active region\n\n**From Command Line:**\n\n1. Run the following command:\n```\naws accessanalyzer list-analyzers | grep status\n```\n2. Ensure that at least one Analyzer the `status` is set to `ACTIVE`\n\n3. Repeat the steps above for each active region.\n\nIf an Access analyzer is not listed for each region or the status is not set to active refer to the remediation procedure below.",
+          "RemediationProcedure": "**From Console:**  Perform the following to enable IAM Access analyzer for IAM policies:  1. Open the IAM console at `https://console.aws.amazon.com/iam/.` 2. Choose `Access analyzer`. 3. Choose `Create analyzer`. 4. On the `Create analyzer` page, confirm that the `Region` displayed is the Region where you want to enable Access Analyzer. 5. Enter a name for the analyzer. `Optional as it will generate a name for you automatically`. 6. Add any tags that you want to apply to the analyzer. `Optional`.  7. Choose `Create Analyzer`. 8. Repeat these step for each active region  **From Command Line:**  Run the following command: ``` aws accessanalyzer create-analyzer --analyzer-name <NAME> --type <ACCOUNT|ORGANIZATION> ``` Repeat this command above for each active region.  **Note:** The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.",
+          "AuditProcedure": "**From Console:**  1. Open the IAM console at `https://console.aws.amazon.com/iam/` 2. Choose `Access analyzer` 3. Click 'Analyzers' 4. Ensure that at least one analyzer is present 5. Ensure that the `STATUS` is set to `Active` 6. Repeat these step for each active region  **From Command Line:**  1. Run the following command: ``` aws accessanalyzer list-analyzers | grep status ``` 2. Ensure that at least one Analyzer the `status` is set to `ACTIVE`  3. Repeat the steps above for each active region.  If an Access analyzer is not listed for each region or the status is not set to active refer to the remediation procedure below.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/get-analyzer.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/create-analyzer.html"
         }
@@ -293,7 +294,7 @@
           "RationaleStatement": "Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.",
           "ImpactStatement": "",
           "RemediationProcedure": "The remediation procedure will vary based on the individual organization's implementation of identity federation and/or AWS Organizations with the acceptance criteria that no non-service IAM users, and non-root accounts, are present outside the account providing centralized IAM user management.",
-          "AuditProcedure": "For multi-account AWS environments with an external identity provider... \n\n1. Determine the master account for identity federation or IAM user management\n2. Login to that account through the AWS Management Console\n3. Click `Services` \n4. Click `IAM` \n5. Click `Identity providers`\n6. Verify the configuration\n\nThen..., determine all accounts that should not have local users present. For each account...\n\n1. Determine all accounts that should not have local users present\n2. Log into the AWS Management Console\n3. Switch role into each identified account\n4. Click `Services` \n5. Click `IAM` \n6. Click `Users`\n7. Confirm that no IAM users representing individuals are present\n\nFor multi-account AWS environments implementing AWS Organizations without an external identity provider... \n\n1. Determine all accounts that should not have local users present\n2. Log into the AWS Management Console\n3. Switch role into each identified account\n4. Click `Services` \n5. Click `IAM` \n6. Click `Users`\n7. Confirm that no IAM users representing individuals are present",
+          "AuditProcedure": "For multi-account AWS environments with an external identity provider...   1. Determine the master account for identity federation or IAM user management 2. Login to that account through the AWS Management Console 3. Click `Services`  4. Click `IAM`  5. Click `Identity providers` 6. Verify the configuration  Then..., determine all accounts that should not have local users present. For each account...  1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`  5. Click `IAM`  6. Click `Users` 7. Confirm that no IAM users representing individuals are present  For multi-account AWS environments implementing AWS Organizations without an external identity provider...   1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`  5. Click `IAM`  6. Click `Users` 7. Confirm that no IAM users representing individuals are present",
           "AdditionalInformation": "",
           "References": ""
         }
@@ -313,8 +314,8 @@
           "Description": "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.",
           "RationaleStatement": "When creating a new AWS account, a default super user is automatically created. This account is referred to as the 'root user' or 'root' account. It is recommended that the use of this account be limited and highly controlled. During events in which the 'root' password is no longer accessible or the MFA token associated with 'root' is lost/destroyed it is possible, through authentication using secret questions and associated answers, to recover 'root' user login access.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to the AWS Account as the 'root' user\n2. Click on the _<Root\\_Account\\_Name>_ from the top right of the console\n3. From the drop-down menu Click _My Account_\n4. Scroll down to the `Configure Security Questions` section\n5. Click on `Edit` \n6. Click on each `Question` \n - From the drop-down select an appropriate question\n - Click on the `Answer` section\n - Enter an appropriate answer \n - Follow process for all 3 questions\n7. Click `Update` when complete\n8. Save Questions and Answers and place in a secure physical location",
-          "AuditProcedure": "**From Console:**\n\n1. Login to the AWS account as the 'root' user\n2. On the top right you will see the _<Root\\_Account\\_Name>_\n3. Click on the _<Root\\_Account\\_Name>_\n4. From the drop-down menu Click `My Account` \n5. In the `Configure Security Challenge Questions` section on the `Personal Information` page, configure three security challenge questions.\n6. Click `Save questions` .",
+          "RemediationProcedure": "**From Console:**  1. Login to the AWS Account as the 'root' user 2. Click on the _<Root\\_Account\\_Name>_ from the top right of the console 3. From the drop-down menu Click _My Account_ 4. Scroll down to the `Configure Security Questions` section 5. Click on `Edit`  6. Click on each `Question`   - From the drop-down select an appropriate question  - Click on the `Answer` section  - Enter an appropriate answer   - Follow process for all 3 questions 7. Click `Update` when complete 8. Save Questions and Answers and place in a secure physical location",
+          "AuditProcedure": "**From Console:**  1. Login to the AWS account as the 'root' user 2. On the top right you will see the _<Root\\_Account\\_Name>_ 3. Click on the _<Root\\_Account\\_Name>_ 4. From the drop-down menu Click `My Account`  5. In the `Configure Security Challenge Questions` section on the `Personal Information` page, configure three security challenge questions. 6. Click `Save questions` .",
           "AdditionalInformation": "",
           "References": ""
         }
@@ -334,8 +335,8 @@
           "Description": "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed.",
           "RationaleStatement": "Removing access keys associated with the 'root' user account limits vectors by which the account can be compromised. Additionally, removing the 'root' access keys encourages the creation and use of role based accounts that are least privileged.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to delete or disable active 'root' user access keys\n\n**From Console:**\n\n1. Sign in to the AWS Management Console as 'root' and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. Click on _<Root\\_Account\\_Name>_ at the top right and select `My Security Credentials` from the drop down list\n3. On the pop out screen Click on `Continue to Security Credentials` \n4. Click on `Access Keys` _(Access Key ID and Secret Access Key)_\n5. Under the `Status` column if there are any Keys which are Active\n - Click on `Make Inactive` - (Temporarily disable Key - may be needed again)\n - Click `Delete` - (Deleted keys cannot be recovered)",
-          "AuditProcedure": "Perform the following to determine if the 'root' user account has access keys:\n\n**From Console:**\n\n1. Login to the AWS Management Console\n2. Click `Services` \n3. Click `IAM` \n4. Click on `Credential Report` \n5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file\n6. For the `<root_account>` user, ensure the `access_key_1_active` and `access_key_2_active` fields are set to `FALSE` .\n\n**From Command Line:**\n\nRun the following command:\n```\n aws iam get-account-summary | grep \"AccountAccessKeysPresent\" \n```\nIf no 'root' access keys exist the output will show \"AccountAccessKeysPresent\": 0,. \n\nIf the output shows a \"1\" than 'root' keys exist, refer to the remediation procedure below.",
+          "RemediationProcedure": "Perform the following to delete or disable active 'root' user access keys  **From Console:**  1. Sign in to the AWS Management Console as 'root' and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. Click on _<Root\\_Account\\_Name>_ at the top right and select `My Security Credentials` from the drop down list 3. On the pop out screen Click on `Continue to Security Credentials`  4. Click on `Access Keys` _(Access Key ID and Secret Access Key)_ 5. Under the `Status` column if there are any Keys which are Active  - Click on `Make Inactive` - (Temporarily disable Key - may be needed again)  - Click `Delete` - (Deleted keys cannot be recovered)",
+          "AuditProcedure": "Perform the following to determine if the 'root' user account has access keys:  **From Console:**  1. Login to the AWS Management Console 2. Click `Services`  3. Click `IAM`  4. Click on `Credential Report`  5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `<root_account>` user, ensure the `access_key_1_active` and `access_key_2_active` fields are set to `FALSE` .  **From Command Line:**  Run the following command: ```  aws iam get-account-summary | grep \"AccountAccessKeysPresent\"  ``` If no 'root' access keys exist the output will show \"AccountAccessKeysPresent\": 0,.   If the output shows a \"1\" than 'root' keys exist, refer to the remediation procedure below.",
           "AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables 'root' access only through access-keys (CLI, API methods) for us-gov cloud region.",
           "References": "http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html:https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/"
         }
@@ -352,11 +353,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.\n\n**Note:** When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. (\"non-personal virtual MFA\") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.",
+          "Description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.  **Note:** When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. (\"non-personal virtual MFA\") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.",
           "RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to establish MFA for the 'root' user account:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n\n Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.\n\n2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account.\n3. Choose `Activate MFA` \n4. In the wizard, choose `A virtual MFA` device and then choose `Next Step` .\n5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.\n6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](http://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications).) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).\n7. Determine whether the MFA app supports QR codes, and then do one of the following:\n\n - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.\n - In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.\n\nWhen you are finished, the virtual MFA device starts generating one-time passwords.\n\nIn the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Assign Virtual MFA.",
-          "AuditProcedure": "Perform the following to determine if the 'root' user account has MFA setup:\n\n**From Console:**\n\n1. Login to the AWS Management Console\n2. Click `Services` \n3. Click `IAM` \n4. Click on `Credential Report` \n5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file\n6. For the `<root_account>` user, ensure the `mfa_active` field is set to `TRUE` .\n\n**From Command Line:**\n\n1. Run the following command:\n```\n aws iam get-account-summary | grep \"AccountMFAEnabled\"\n```\n2. Ensure the AccountMFAEnabled property is set to 1",
+          "RemediationProcedure": "Perform the following to establish MFA for the 'root' user account:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).   Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.  2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`  4. In the wizard, choose `A virtual MFA` device and then choose `Next Step` . 5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](http://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications).) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following:   - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.  - In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.  When you are finished, the virtual MFA device starts generating one-time passwords.  In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Assign Virtual MFA.",
+          "AuditProcedure": "Perform the following to determine if the 'root' user account has MFA setup:  **From Console:**  1. Login to the AWS Management Console 2. Click `Services`  3. Click `IAM`  4. Click on `Credential Report`  5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `<root_account>` user, ensure the `mfa_active` field is set to `TRUE` .  **From Command Line:**  1. Run the following command: ```  aws iam get-account-summary | grep \"AccountMFAEnabled\" ``` 2. Ensure the AccountMFAEnabled property is set to 1",
           "AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions does not have console access. This recommendation is not applicable for us-gov cloud regions.",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root"
         }
@@ -374,10 +375,10 @@
           "Profile": "Level 2",
           "AssessmentStatus": "Automated",
           "Description": "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the 'root' user account be protected with a hardware MFA.",
-          "RationaleStatement": "A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.\n\n**Note**: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.",
+          "RationaleStatement": "A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.  **Note**: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to establish a hardware MFA for the 'root' user account:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\nNote: to manage MFA devices for the AWS 'root' user account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.\n2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account.\n3. Choose `Activate MFA` \n4. In the wizard, choose `A hardware MFA` device and then choose `Next Step` .\n5. In the `Serial Number` box, enter the serial number that is found on the back of the MFA device.\n6. In the `Authentication Code 1` box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number.\n7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the `Authentication Code 2` box. You might need to press the button on the front of the device again to display the second number.\n8. Choose `Next Step` . The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.\n\nRemediation for this recommendation is not available through AWS CLI.",
-          "AuditProcedure": "Perform the following to determine if the 'root' user account has a hardware MFA setup:\n\n1. Run the following command to determine if the 'root' account has MFA setup:\n```\n aws iam get-account-summary | grep \"AccountMFAEnabled\"\n```\n\nThe `AccountMFAEnabled` property is set to `1` will ensure that the 'root' user account has MFA (Virtual or Hardware) Enabled.\nIf `AccountMFAEnabled` property is set to `0` the account is not compliant with this recommendation.\n\n2. If `AccountMFAEnabled` property is set to `1`, determine 'root' account has Hardware MFA enabled.\nRun the following command to list all virtual MFA devices:\n```\n aws iam list-virtual-mfa-devices \n```\nIf the output contains one MFA with the following Serial Number, it means the MFA is virtual, not hardware and the account is not compliant with this recommendation:\n\n `\"SerialNumber\": \"arn:aws:iam::_<aws_account_number>_:mfa/root-account-mfa-device\"`",
+          "RemediationProcedure": "Perform the following to establish a hardware MFA for the 'root' user account:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the AWS 'root' user account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials. 2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`  4. In the wizard, choose `A hardware MFA` device and then choose `Next Step` . 5. In the `Serial Number` box, enter the serial number that is found on the back of the MFA device. 6. In the `Authentication Code 1` box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number. 7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the `Authentication Code 2` box. You might need to press the button on the front of the device again to display the second number. 8. Choose `Next Step` . The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.  Remediation for this recommendation is not available through AWS CLI.",
+          "AuditProcedure": "Perform the following to determine if the 'root' user account has a hardware MFA setup:  1. Run the following command to determine if the 'root' account has MFA setup: ```  aws iam get-account-summary | grep \"AccountMFAEnabled\" ```  The `AccountMFAEnabled` property is set to `1` will ensure that the 'root' user account has MFA (Virtual or Hardware) Enabled. If `AccountMFAEnabled` property is set to `0` the account is not compliant with this recommendation.  2. If `AccountMFAEnabled` property is set to `1`, determine 'root' account has Hardware MFA enabled. Run the following command to list all virtual MFA devices: ```  aws iam list-virtual-mfa-devices  ``` If the output contains one MFA with the following Serial Number, it means the MFA is virtual, not hardware and the account is not compliant with this recommendation:   `\"SerialNumber\": \"arn:aws:iam::_<aws_account_number>_:mfa/root-account-mfa-device\"`",
           "AdditionalInformation": "IAM User account 'root' for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions.",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html#enable-hw-mfa-for-root"
         }
@@ -397,9 +398,9 @@
           "Description": "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.",
           "RationaleStatement": "The 'root user' has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.",
           "ImpactStatement": "",
-          "RemediationProcedure": "If you find that the 'root' user account is being used for daily activity to include administrative tasks that do not require the 'root' user:\n\n1. Change the 'root' user password.\n2. Deactivate or delete any access keys associate with the 'root' user.\n\n**Remember, anyone who has 'root' user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.",
-          "AuditProcedure": "**From Console:**\n\n1. Login to the AWS Management Console at `https://console.aws.amazon.com/iam/`\n2. In the left pane, click `Credential Report`\n3. Click on `Download Report`\n4. Open of Save the file locally\n5. Locate the `<root account>` under the user column\n6. Review `password_last_used, access_key_1_last_used_date, access_key_2_last_used_date` to determine when the 'root user' was last used.\n\n**From Command Line:**\n\nRun the following CLI commands to provide a credential report for determining the last time the 'root user' was used:\n```\naws iam generate-credential-report\n```\n```\naws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,5,11,16 | grep -B1 '<root_account>'\n```\n\nReview `password_last_used`, `access_key_1_last_used_date`, `access_key_2_last_used_date` to determine when the _root user_ was last used.\n\n**Note:** There are a few conditions under which the use of the 'root' user account is required. Please see the reference links for all of the tasks that require use of the 'root' user.",
-          "AdditionalInformation": "The 'root' user for us-gov cloud regions is not enabled by default. However, on request to AWS support, they can enable the 'root' user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the 'root' user for us-gov cloud regions is enabled, this recommendation is applicable.\n\nMonitoring usage of the 'root' user can be accomplished by implementing recommendation 3.3 Ensure a log metric filter and alarm exist for usage of the 'root' user.",
+          "RemediationProcedure": "If you find that the 'root' user account is being used for daily activity to include administrative tasks that do not require the 'root' user:  1. Change the 'root' user password. 2. Deactivate or delete any access keys associate with the 'root' user.  **Remember, anyone who has 'root' user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.",
+          "AuditProcedure": "**From Console:**  1. Login to the AWS Management Console at `https://console.aws.amazon.com/iam/` 2. In the left pane, click `Credential Report` 3. Click on `Download Report` 4. Open of Save the file locally 5. Locate the `<root account>` under the user column 6. Review `password_last_used, access_key_1_last_used_date, access_key_2_last_used_date` to determine when the 'root user' was last used.  **From Command Line:**  Run the following CLI commands to provide a credential report for determining the last time the 'root user' was used: ``` aws iam generate-credential-report ``` ``` aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,5,11,16 | grep -B1 '<root_account>' ```  Review `password_last_used`, `access_key_1_last_used_date`, `access_key_2_last_used_date` to determine when the _root user_ was last used.  **Note:** There are a few conditions under which the use of the 'root' user account is required. Please see the reference links for all of the tasks that require use of the 'root' user.",
+          "AdditionalInformation": "The 'root' user for us-gov cloud regions is not enabled by default. However, on request to AWS support, they can enable the 'root' user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the 'root' user for us-gov cloud regions is enabled, this recommendation is applicable.  Monitoring usage of the 'root' user can be accomplished by implementing recommendation 3.3 Ensure a log metric filter and alarm exist for usage of the 'root' user.",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html:https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html"
         }
       ]
@@ -418,8 +419,8 @@
           "Description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.",
           "RationaleStatement": "Setting a password complexity policy increases account resiliency against brute force login attempts.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to set the password policy as prescribed:\n\n**From Console:**\n\n1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)\n2. Go to IAM Service on the AWS Console\n3. Click on Account Settings on the Left Pane\n4. Set \"Minimum password length\" to `14` or greater.\n5. Click \"Apply password policy\"\n\n**From Command Line:**\n```\n aws iam update-account-password-policy --minimum-password-length 14\n```\nNote: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.",
-          "AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:\n\n**From Console:**\n\n1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)\n2. Go to IAM Service on the AWS Console\n3. Click on Account Settings on the Left Pane\n4. Ensure \"Minimum password length\" is set to 14 or greater.\n\n**From Command Line:**\n```\naws iam get-account-password-policy\n```\nEnsure the output of the above command includes \"MinimumPasswordLength\": 14 (or higher)",
+          "RemediationProcedure": "Perform the following to set the password policy as prescribed:  **From Console:**  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Set \"Minimum password length\" to `14` or greater. 5. Click \"Apply password policy\"  **From Command Line:** ```  aws iam update-account-password-policy --minimum-password-length 14 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.",
+          "AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:  **From Console:**  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Minimum password length\" is set to 14 or greater.  **From Command Line:** ``` aws iam get-account-password-policy ``` Ensure the output of the above command includes \"MinimumPasswordLength\": 14 (or higher)",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy"
         }
@@ -439,8 +440,8 @@
           "Description": "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.",
           "RationaleStatement": "Preventing password reuse increases account resiliency against brute force login attempts.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to set the password policy as prescribed:\n\n**From Console:**\n\n1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)\n2. Go to IAM Service on the AWS Console\n3. Click on Account Settings on the Left Pane\n4. Check \"Prevent password reuse\"\n5. Set \"Number of passwords to remember\" is set to `24` \n\n**From Command Line:**\n```\n aws iam update-account-password-policy --password-reuse-prevention 24\n```\nNote: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.",
-          "AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:\n\n**From Console:**\n\n1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)\n2. Go to IAM Service on the AWS Console\n3. Click on Account Settings on the Left Pane\n4. Ensure \"Prevent password reuse\" is checked\n5. Ensure \"Number of passwords to remember\" is set to 24\n\n**From Command Line:**\n```\naws iam get-account-password-policy \n```\nEnsure the output of the above command includes \"PasswordReusePrevention\": 24",
+          "RemediationProcedure": "Perform the following to set the password policy as prescribed:  **From Console:**  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Check \"Prevent password reuse\" 5. Set \"Number of passwords to remember\" is set to `24`   **From Command Line:** ```  aws iam update-account-password-policy --password-reuse-prevention 24 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.",
+          "AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:  **From Console:**  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Prevent password reuse\" is checked 5. Ensure \"Number of passwords to remember\" is set to 24  **From Command Line:** ``` aws iam get-account-password-policy  ``` Ensure the output of the above command includes \"PasswordReusePrevention\": 24",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy"
         }
@@ -460,8 +461,8 @@
           "Description": "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.",
           "RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.",
           "ImpactStatement": "Amazon S3 buckets with default bucket encryption using SSE-KMS cannot be used as destination buckets for Amazon S3 server access logging. Only SSE-S3 default encryption is supported for server access log destination buckets.",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Select a Bucket.\n3. Click on 'Properties'.\n4. Click edit on `Default Encryption`.\n5. Select either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`.\n6. Click `Save`\n7. Repeat for all the buckets in your AWS account lacking encryption.\n\n**From Command Line:**\n\nRun either \n```\naws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}'\n```\n or \n```\naws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}'\n```\n\n**Note:** the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.",
-          "AuditProcedure": "**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Select a Bucket.\n3. Click on 'Properties'.\n4. Verify that `Default Encryption` is enabled, and displays either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`.\n5. Repeat for all the buckets in your AWS account.\n\n**From Command Line:**\n\n1. Run command to list buckets\n```\naws s3 ls\n```\n2. For each bucket, run \n```\naws s3api get-bucket-encryption --bucket <bucket name>\n```\n3. Verify that either \n```\n\"SSEAlgorithm\": \"AES256\"\n```\n or \n```\n\"SSEAlgorithm\": \"aws:kms\"```\n is displayed.",
+          "RemediationProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Select a Bucket. 3. Click on 'Properties'. 4. Click edit on `Default Encryption`. 5. Select either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 6. Click `Save` 7. Repeat for all the buckets in your AWS account lacking encryption.  **From Command Line:**  Run either  ``` aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}' ```  or  ``` aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}' ```  **Note:** the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.",
+          "AuditProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Select a Bucket. 3. Click on 'Properties'. 4. Verify that `Default Encryption` is enabled, and displays either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 5. Repeat for all the buckets in your AWS account.  **From Command Line:**  1. Run command to list buckets ``` aws s3 ls ``` 2. For each bucket, run  ``` aws s3api get-bucket-encryption --bucket <bucket name> ``` 3. Verify that either  ``` \"SSEAlgorithm\": \"AES256\" ```  or  ``` \"SSEAlgorithm\": \"aws:kms\"```  is displayed.",
           "AdditionalInformation": "S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does **not** encrypt objects previously stored within the bucket.",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html:https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources"
         }
@@ -481,8 +482,8 @@
           "Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.",
           "RationaleStatement": "By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on 'Permissions'.\n4. Click 'Bucket Policy'\n5. Add this to the existing policy filling in the required information\n```\n{\n \"Sid\": <optional>\",\n \"Effect\": \"Deny\",\n \"Principal\": \"*\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n }\n```\n6. Save\n7. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n**From Console** \n\nusing AWS Policy Generator:\n\n1. Repeat steps 1-4 above.\n2. Click on `Policy Generator` at the bottom of the Bucket Policy Editor\n3. Select Policy Type\n`S3 Bucket Policy`\n4. Add Statements\n- `Effect` = Deny\n- `Principal` = *\n- `AWS Service` = Amazon S3\n- `Actions` = *\n- `Amazon Resource Name` = <ARN of the S3 Bucket>\n5. Generate Policy\n6. Copy the text and add it to the Bucket Policy.\n\n**From Command Line:**\n\n1. Export the bucket policy to a json file.\n```\naws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output text > policy.json\n```\n\n2. Modify the policy.json file by adding in this statement:\n```\n{\n \"Sid\": <optional>\",\n \"Effect\": \"Deny\",\n \"Principal\": \"*\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n }\n```\n3. Apply this modified policy back to the S3 bucket:\n```\naws s3api put-bucket-policy --bucket <bucket_name> --policy file://policy.json\n```",
-          "AuditProcedure": "To allow access to HTTPS you can use a condition that checks for the key `\"aws:SecureTransport: true\"`. This means that the request is sent through HTTPS but that HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key \"aws:SecureTransport\": \"false\".\n\n**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on 'Permissions', then Click on `Bucket Policy`.\n4. Ensure that a policy is listed that matches:\n```\n'{\n \"Sid\": <optional>,\n \"Effect\": \"Deny\",\n \"Principal\": \"*\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }'\n```\n`<optional>` and `<bucket_name>` will be specific to your account\n\n5. Repeat for all the buckets in your AWS account.\n\n**From Command Line:**\n\n1. List all of the S3 Buckets \n```\naws s3 ls\n```\n2. Using the list of buckets run this command on each of them:\n```\naws s3api get-bucket-policy --bucket <bucket_name> | grep aws:SecureTransport\n```\n3. Confirm that `aws:SecureTransport` is set to false `aws:SecureTransport:false`\n4. Confirm that the policy line has Effect set to Deny 'Effect:Deny'",
+          "RemediationProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions'. 4. Click 'Bucket Policy' 5. Add this to the existing policy filling in the required information ``` {  \"Sid\": <optional>\",  \"Effect\": \"Deny\",  \"Principal\": \"*\",  \"Action\": \"s3:*\",  \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",  \"Condition\": {  \"Bool\": {  \"aws:SecureTransport\": \"false\"  }  }  } ``` 6. Save 7. Repeat for all the buckets in your AWS account that contain sensitive data.  **From Console**   using AWS Policy Generator:  1. Repeat steps 1-4 above. 2. Click on `Policy Generator` at the bottom of the Bucket Policy Editor 3. Select Policy Type `S3 Bucket Policy` 4. Add Statements - `Effect` = Deny - `Principal` = * - `AWS Service` = Amazon S3 - `Actions` = * - `Amazon Resource Name` = <ARN of the S3 Bucket> 5. Generate Policy 6. Copy the text and add it to the Bucket Policy.  **From Command Line:**  1. Export the bucket policy to a json file. ``` aws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output text > policy.json ```  2. Modify the policy.json file by adding in this statement: ``` {  \"Sid\": <optional>\",  \"Effect\": \"Deny\",  \"Principal\": \"*\",  \"Action\": \"s3:*\",  \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",  \"Condition\": {  \"Bool\": {  \"aws:SecureTransport\": \"false\"  }  }  } ``` 3. Apply this modified policy back to the S3 bucket: ``` aws s3api put-bucket-policy --bucket <bucket_name> --policy file://policy.json ```",
+          "AuditProcedure": "To allow access to HTTPS you can use a condition that checks for the key `\"aws:SecureTransport: true\"`. This means that the request is sent through HTTPS but that HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key \"aws:SecureTransport\": \"false\".  **From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions', then Click on `Bucket Policy`. 4. Ensure that a policy is listed that matches: ``` '{  \"Sid\": <optional>,  \"Effect\": \"Deny\",  \"Principal\": \"*\",  \"Action\": \"s3:*\",  \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",  \"Condition\": {  \"Bool\": {  \"aws:SecureTransport\": \"false\"  }' ``` `<optional>` and `<bucket_name>` will be specific to your account  5. Repeat for all the buckets in your AWS account.  **From Command Line:**  1. List all of the S3 Buckets  ``` aws s3 ls ``` 2. Using the list of buckets run this command on each of them: ``` aws s3api get-bucket-policy --bucket <bucket_name> | grep aws:SecureTransport ``` 3. Confirm that `aws:SecureTransport` is set to false `aws:SecureTransport:false` 4. Confirm that the policy line has Effect set to Deny 'Effect:Deny'",
           "AdditionalInformation": "",
           "References": "https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/:https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html"
         }
@@ -502,8 +503,8 @@
           "Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.",
           "RationaleStatement": "Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the steps below to enable MFA delete on an S3 bucket.\n\nNote:\n-You cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API.\n-You must use your 'root' account to enable MFA Delete on S3 buckets.\n\n**From Command line:**\n\n1. Run the s3api put-bucket-versioning command\n\n```\naws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode”\n```",
-          "AuditProcedure": "Perform the steps below to confirm MFA delete is configured on an S3 Bucket\n\n**From Console:**\n\n1. Login to the S3 console at `https://console.aws.amazon.com/s3/`\n\n2. Click the `Check` box next to the Bucket name you want to confirm\n\n3. In the window under `Properties`\n\n4. Confirm that Versioning is `Enabled`\n\n5. Confirm that MFA Delete is `Enabled`\n\n**From Command Line:**\n\n1. Run the `get-bucket-versioning`\n```\naws s3api get-bucket-versioning --bucket my-bucket\n```\n\nOutput example:\n```\n<VersioningConfiguration xmlns=\"http://s3.amazonaws.com/doc/2006-03-01/\"> \n <Status>Enabled</Status>\n <MfaDelete>Enabled</MfaDelete> \n</VersioningConfiguration>\n```\n\nIf the Console or the CLI output does not show Versioning and MFA Delete `enabled` refer to the remediation below.",
+          "RemediationProcedure": "Perform the steps below to enable MFA delete on an S3 bucket.  Note: -You cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API. -You must use your 'root' account to enable MFA Delete on S3 buckets.  **From Command line:**  1. Run the s3api put-bucket-versioning command  ``` aws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode” ```",
+          "AuditProcedure": "Perform the steps below to confirm MFA delete is configured on an S3 Bucket  **From Console:**  1. Login to the S3 console at `https://console.aws.amazon.com/s3/`  2. Click the `Check` box next to the Bucket name you want to confirm  3. In the window under `Properties`  4. Confirm that Versioning is `Enabled`  5. Confirm that MFA Delete is `Enabled`  **From Command Line:**  1. Run the `get-bucket-versioning` ``` aws s3api get-bucket-versioning --bucket my-bucket ```  Output example: ``` <VersioningConfiguration xmlns=\"http://s3.amazonaws.com/doc/2006-03-01/\">   <Status>Enabled</Status>  <MfaDelete>Enabled</MfaDelete>  </VersioningConfiguration> ```  If the Console or the CLI output does not show Versioning and MFA Delete `enabled` refer to the remediation below.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete:https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html:https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html"
         }
@@ -521,10 +522,10 @@
           "Profile": "Level 2",
           "AssessmentStatus": "Manual",
           "Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.",
-          "RationaleStatement": "Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.\n\nAmazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.",
+          "RationaleStatement": "Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.  Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.",
           "ImpactStatement": "There is a cost associated with using Amazon Macie. There is also typically a cost associated with 3rd Party tools that perform similar processes and protection.",
-          "RemediationProcedure": "Perform the steps below to enable and configure Amazon Macie\n\n**From Console:**\n\n1. Log on to the Macie console at `https://console.aws.amazon.com/macie/`\n\n2. Click `Get started`.\n\n3. Click `Enable Macie`.\n\nSetup a repository for sensitive data discovery results\n\n1. In the Left pane, under Settings, click `Discovery results`.\n\n2. Make sure `Create bucket` is selected.\n\n3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.\n\n4. Click on `Advanced`.\n\n5. Block all public access, make sure `Yes` is selected.\n\n6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.\n\n7. Click on `Save`\n\nCreate a job to discover sensitive data\n\n1. In the left pane, click `S3 buckets`. Macie displays a list of all the S3 buckets for your account.\n\n2. Select the `check box` for each bucket that you want Macie to analyze as part of the job\n\n3. Click `Create job`.\n\n3. Click `Quick create`.\n\n4. For the Name and description step, enter a name and, optionally, a description of the job.\n\n5. Then click `Next`.\n\n6. For the Review and create step, click `Submit`.\n\nReview your findings\n\n1. In the left pane, click `Findings`.\n\n2. To view the details of a specific finding, choose any field other than the check box for the finding.\n\nIf you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.",
-          "AuditProcedure": "Perform the following steps to determine if Macie is running:\n\n**From Console:**\n\n 1. Login to the Macie console at https://console.aws.amazon.com/macie/\n\n 2. In the left hand pane click on By job under findings.\n\n 3. Confirm that you have a Job setup for your S3 Buckets\n\nWhen you log into the Macie console if you aren't taken to the summary page and you don't have a job setup and running then refer to the remediation procedure below.\n\nIf you are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation.",
+          "RemediationProcedure": "Perform the steps below to enable and configure Amazon Macie  **From Console:**  1. Log on to the Macie console at `https://console.aws.amazon.com/macie/`  2. Click `Get started`.  3. Click `Enable Macie`.  Setup a repository for sensitive data discovery results  1. In the Left pane, under Settings, click `Discovery results`.  2. Make sure `Create bucket` is selected.  3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.  4. Click on `Advanced`.  5. Block all public access, make sure `Yes` is selected.  6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.  7. Click on `Save`  Create a job to discover sensitive data  1. In the left pane, click `S3 buckets`. Macie displays a list of all the S3 buckets for your account.  2. Select the `check box` for each bucket that you want Macie to analyze as part of the job  3. Click `Create job`.  3. Click `Quick create`.  4. For the Name and description step, enter a name and, optionally, a description of the job.  5. Then click `Next`.  6. For the Review and create step, click `Submit`.  Review your findings  1. In the left pane, click `Findings`.  2. To view the details of a specific finding, choose any field other than the check box for the finding.  If you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.",
+          "AuditProcedure": "Perform the following steps to determine if Macie is running:  **From Console:**   1. Login to the Macie console at https://console.aws.amazon.com/macie/   2. In the left hand pane click on By job under findings.   3. Confirm that you have a Job setup for your S3 Buckets  When you log into the Macie console if you aren't taken to the summary page and you don't have a job setup and running then refer to the remediation procedure below.  If you are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation.",
           "AdditionalInformation": "",
           "References": "https://aws.amazon.com/macie/getting-started/:https://docs.aws.amazon.com/workspaces/latest/adminguide/data-protection.html:https://docs.aws.amazon.com/macie/latest/user/data-classification.html"
         }
@@ -543,10 +544,10 @@
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
           "Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.",
-          "RationaleStatement": "Amazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective bucket(s). \n\nAmazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.\n\nWhether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.",
+          "RationaleStatement": "Amazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective bucket(s).   Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.  Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.",
           "ImpactStatement": "When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.",
-          "RemediationProcedure": "**If utilizing Block Public Access (bucket settings)**\n\n**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Select the Check box next to the Bucket.\n3. Click on 'Edit public access settings'.\n4. Click 'Block all public access'\n5. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n**From Command Line:**\n\n1. List all of the S3 Buckets\n```\naws s3 ls\n```\n2. Set the Block Public Access to true on that bucket\n```\naws s3api put-public-access-block --bucket <name-of-bucket> --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\"\n```\n\n**If utilizing Block Public Access (account settings)**\n\n**From Console:**\n\nIf the output reads `true` for the separate configuration settings then it is set on the account.\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Choose `Block Public Access (account settings)`\n3. Choose `Edit` to change the block public access settings for all the buckets in your AWS account\n4. Choose the settings you want to change, and then choose `Save`. For details about each setting, pause on the `i` icons.\n5. When you're asked for confirmation, enter `confirm`. Then Click `Confirm` to save your changes.\n\n**From Command Line:**\n\nTo set Block Public access settings for this account, run the following command:\n```\naws s3control put-public-access-block\n--public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true\n--account-id <value>\n```",
-          "AuditProcedure": "**If utilizing Block Public Access (bucket settings)**\n\n**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Select the Check box next to the Bucket.\n3. Click on 'Edit public access settings'.\n4. Ensure that block public access settings are set appropriately for this bucket\n5. Repeat for all the buckets in your AWS account.\n\n**From Command Line:**\n\n1. List all of the S3 Buckets\n```\naws s3 ls\n```\n2. Find the public access setting on that bucket\n```\naws s3api get-public-access-block --bucket <name-of-the-bucket>\n```\nOutput if Block Public access is enabled:\n\n```\n{\n \"PublicAccessBlockConfiguration\": {\n \"BlockPublicAcls\": true,\n \"IgnorePublicAcls\": true,\n \"BlockPublicPolicy\": true,\n \"RestrictPublicBuckets\": true\n }\n}\n```\n\nIf the output reads `false` for the separate configuration settings then proceed to the remediation.\n\n**If utilizing Block Public Access (account settings)**\n\n**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Choose `Block public access (account settings)`\n3. Ensure that block public access settings are set appropriately for your AWS account.\n\n**From Command Line:**\n\nTo check Public access settings for this account status, run the following command,\n`aws s3control get-public-access-block --account-id <ACCT_ID> --region <REGION_NAME>`\n\nOutput if Block Public access is enabled:\n\n```\n{\n \"PublicAccessBlockConfiguration\": {\n \"IgnorePublicAcls\": true, \n \"BlockPublicPolicy\": true, \n \"BlockPublicAcls\": true, \n \"RestrictPublicBuckets\": true\n }\n}\n```\n\nIf the output reads `false` for the separate configuration settings then proceed to the remediation.",
+          "RemediationProcedure": "**If utilizing Block Public Access (bucket settings)**  **From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Click 'Block all public access' 5. Repeat for all the buckets in your AWS account that contain sensitive data.  **From Command Line:**  1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Set the Block Public Access to true on that bucket ``` aws s3api put-public-access-block --bucket <name-of-bucket> --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\" ```  **If utilizing Block Public Access (account settings)**  **From Console:**  If the output reads `true` for the separate configuration settings then it is set on the account.  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Choose `Block Public Access (account settings)` 3. Choose `Edit` to change the block public access settings for all the buckets in your AWS account 4. Choose the settings you want to change, and then choose `Save`. For details about each setting, pause on the `i` icons. 5. When you're asked for confirmation, enter `confirm`. Then Click `Confirm` to save your changes.  **From Command Line:**  To set Block Public access settings for this account, run the following command: ``` aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id <value> ```",
+          "AuditProcedure": "**If utilizing Block Public Access (bucket settings)**  **From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Ensure that block public access settings are set appropriately for this bucket 5. Repeat for all the buckets in your AWS account.  **From Command Line:**  1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Find the public access setting on that bucket ``` aws s3api get-public-access-block --bucket <name-of-the-bucket> ``` Output if Block Public access is enabled:  ``` {  \"PublicAccessBlockConfiguration\": {  \"BlockPublicAcls\": true,  \"IgnorePublicAcls\": true,  \"BlockPublicPolicy\": true,  \"RestrictPublicBuckets\": true  } } ```  If the output reads `false` for the separate configuration settings then proceed to the remediation.  **If utilizing Block Public Access (account settings)**  **From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Choose `Block public access (account settings)` 3. Ensure that block public access settings are set appropriately for your AWS account.  **From Command Line:**  To check Public access settings for this account status, run the following command, `aws s3control get-public-access-block --account-id <ACCT_ID> --region <REGION_NAME>`  Output if Block Public access is enabled:  ``` {  \"PublicAccessBlockConfiguration\": {  \"IgnorePublicAcls\": true,   \"BlockPublicPolicy\": true,   \"BlockPublicAcls\": true,   \"RestrictPublicBuckets\": true  } } ```  If the output reads `false` for the separate configuration settings then proceed to the remediation.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html"
         }
@@ -566,8 +567,8 @@
           "Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.",
           "RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.",
           "ImpactStatement": "Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/ \n2. Under `Account attributes`, click `EBS encryption`.\n3. Click `Manage`.\n4. Click the `Enable` checkbox.\n5. Click `Update EBS encryption`\n6. Repeat for every region requiring the change.\n\n**Note:** EBS volume encryption is configured per region.\n\n**From Command Line:**\n\n1. Run \n```\naws --region <region> ec2 enable-ebs-encryption-by-default\n```\n2. Verify that `\"EbsEncryptionByDefault\": true` is displayed.\n3. Repeat every region requiring the change.\n\n**Note:** EBS volume encryption is configured per region.",
-          "AuditProcedure": "**From Console:**\n\n1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/ \n2. Under `Account attributes`, click `EBS encryption`.\n3. Verify `Always encrypt new EBS volumes` displays `Enabled`.\n4. Review every region in-use.\n\n**Note:** EBS volume encryption is configured per region.\n\n**From Command Line:**\n\n1. Run \n```\naws --region <region> ec2 get-ebs-encryption-by-default\n```\n2. Verify that `\"EbsEncryptionByDefault\": true` is displayed.\n3. Review every region in-use.\n\n**Note:** EBS volume encryption is configured per region.",
+          "RemediationProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/  2. Under `Account attributes`, click `EBS encryption`. 3. Click `Manage`. 4. Click the `Enable` checkbox. 5. Click `Update EBS encryption` 6. Repeat for every region requiring the change.  **Note:** EBS volume encryption is configured per region.  **From Command Line:**  1. Run  ``` aws --region <region> ec2 enable-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Repeat every region requiring the change.  **Note:** EBS volume encryption is configured per region.",
+          "AuditProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/  2. Under `Account attributes`, click `EBS encryption`. 3. Verify `Always encrypt new EBS volumes` displays `Enabled`. 4. Review every region in-use.  **Note:** EBS volume encryption is configured per region.  **From Command Line:**  1. Run  ``` aws --region <region> ec2 get-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Review every region in-use.  **Note:** EBS volume encryption is configured per region.",
           "AdditionalInformation": "Default EBS volume encryption only applies to newly created EBS volumes. Existing EBS volumes are **not** converted automatically.",
           "References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html:https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/"
         }
@@ -587,8 +588,8 @@
           "Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.",
           "RationaleStatement": "Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/.\n2. In the left navigation panel, click on `Databases`\n3. Select the Database instance that needs to be encrypted.\n4. Click on `Actions` button placed at the top right and select `Take Snapshot`.\n5. On the Take Snapshot page, enter a database name of which you want to take a snapshot in the `Snapshot Name` field and click on `Take Snapshot`.\n6. Select the newly created snapshot and click on the `Action` button placed at the top right and select `Copy snapshot` from the Action menu.\n7. On the Make Copy of DB Snapshot page, perform the following:\n\n- In the New DB Snapshot Identifier field, Enter a name for the `new snapshot`.\n- Check `Copy Tags`, New snapshot must have the same tags as the source snapshot.\n- Select `Yes` from the `Enable Encryption` dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.\n\n8. Click `Copy Snapshot` to create an encrypted copy of the selected instance snapshot.\n9. Select the new Snapshot Encrypted Copy and click on the `Action` button placed at the top right and select `Restore Snapshot` button from the Action menu, This will restore the encrypted snapshot to a new database instance.\n10. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field.\n11. Review the instance configuration details and click `Restore DB Instance`.\n12. As the new instance provisioning process is completed can update application configuration to refer to the endpoint of the new Encrypted database instance Once the database endpoint is changed at the application level, can remove the unencrypted instance.\n\n**From Command Line:**\n\n1. Run `describe-db-instances` command to list all RDS database names available in the selected AWS region, The command output should return the database instance identifier.\n```\naws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n2. Run `create-db-snapshot` command to create a snapshot for the selected database instance, The command output will return the `new snapshot` with name DB Snapshot Name.\n```\naws rds create-db-snapshot --region <region-name> --db-snapshot-identifier <DB-Snapshot-Name> --db-instance-identifier <DB-Name>\n```\n3. Now run `list-aliases` command to list the KMS keys aliases available in a specified region, The command output should return each `key alias currently available`. For our RDS encryption activation process, locate the ID of the AWS default KMS key.\n```\naws kms list-aliases --region <region-name>\n```\n4. Run `copy-db-snapshot` command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot, The command output will return the `encrypted instance snapshot configuration`.\n```\naws rds copy-db-snapshot --region <region-name> --source-db-snapshot-identifier <DB-Snapshot-Name> --target-db-snapshot-identifier <DB-Snapshot-Name-Encrypted> --copy-tags --kms-key-id <KMS-ID-For-RDS>\n```\n5. Run `restore-db-instance-from-db-snapshot` command to restore the encrypted snapshot created at the previous step to a new database instance, If successful, the command output should return the new encrypted database instance configuration.\n```\naws rds restore-db-instance-from-db-snapshot --region <region-name> --db-instance-identifier <DB-Name-Encrypted> --db-snapshot-identifier <DB-Snapshot-Name-Encrypted>\n```\n6. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region, Output will return database instance identifier name Select encrypted database name that we just created DB-Name-Encrypted.\n```\naws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n7. Run again `describe-db-instances` command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True`.\n```\naws rds describe-db-instances --region <region-name> --db-instance-identifier <DB-Name-Encrypted> --query 'DBInstances[*].StorageEncrypted'\n```",
-          "AuditProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/\n2. In the navigation pane, under RDS dashboard, click `Databases`.\n3. Select the RDS Instance that you want to examine\n4. Click `Instance Name` to see details, then click on `Configuration` tab.\n5. Under Configuration Details section, In Storage pane search for the `Encryption Enabled` Status.\n6. If the current status is set to `Disabled`, Encryption is not enabled for the selected RDS Instance database instance.\n7. Repeat steps 3 to 7 to verify encryption status of other RDS Instance in same region.\n8. Change region from the top of the navigation bar and repeat audit for other regions.\n\n**From Command Line:**\n\n1. Run `describe-db-instances` command to list all RDS Instance database names, available in the selected AWS region, Output will return each Instance database identifier-name.\n ```\naws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n2. Run again `describe-db-instances` command using the RDS Instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True` Or `False`.\n```\naws rds describe-db-instances --region <region-name> --db-instance-identifier <DB-Name> --query 'DBInstances[*].StorageEncrypted'\n```\n3. If the StorageEncrypted parameter value is `False`, Encryption is not enabled for the selected RDS database instance.\n4. Repeat steps 1 to 3 for auditing each RDS Instance and change Region to verify for other regions",
+          "RemediationProcedure": "**From Console:**  1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases` 3. Select the Database instance that needs to be encrypted. 4. Click on `Actions` button placed at the top right and select `Take Snapshot`. 5. On the Take Snapshot page, enter a database name of which you want to take a snapshot in the `Snapshot Name` field and click on `Take Snapshot`. 6. Select the newly created snapshot and click on the `Action` button placed at the top right and select `Copy snapshot` from the Action menu. 7. On the Make Copy of DB Snapshot page, perform the following:  - In the New DB Snapshot Identifier field, Enter a name for the `new snapshot`. - Check `Copy Tags`, New snapshot must have the same tags as the source snapshot. - Select `Yes` from the `Enable Encryption` dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.  8. Click `Copy Snapshot` to create an encrypted copy of the selected instance snapshot. 9. Select the new Snapshot Encrypted Copy and click on the `Action` button placed at the top right and select `Restore Snapshot` button from the Action menu, This will restore the encrypted snapshot to a new database instance. 10. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field. 11. Review the instance configuration details and click `Restore DB Instance`. 12. As the new instance provisioning process is completed can update application configuration to refer to the endpoint of the new Encrypted database instance Once the database endpoint is changed at the application level, can remove the unencrypted instance.  **From Command Line:**  1. Run `describe-db-instances` command to list all RDS database names available in the selected AWS region, The command output should return the database instance identifier. ``` aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run `create-db-snapshot` command to create a snapshot for the selected database instance, The command output will return the `new snapshot` with name DB Snapshot Name. ``` aws rds create-db-snapshot --region <region-name> --db-snapshot-identifier <DB-Snapshot-Name> --db-instance-identifier <DB-Name> ``` 3. Now run `list-aliases` command to list the KMS keys aliases available in a specified region, The command output should return each `key alias currently available`. For our RDS encryption activation process, locate the ID of the AWS default KMS key. ``` aws kms list-aliases --region <region-name> ``` 4. Run `copy-db-snapshot` command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot, The command output will return the `encrypted instance snapshot configuration`. ``` aws rds copy-db-snapshot --region <region-name> --source-db-snapshot-identifier <DB-Snapshot-Name> --target-db-snapshot-identifier <DB-Snapshot-Name-Encrypted> --copy-tags --kms-key-id <KMS-ID-For-RDS> ``` 5. Run `restore-db-instance-from-db-snapshot` command to restore the encrypted snapshot created at the previous step to a new database instance, If successful, the command output should return the new encrypted database instance configuration. ``` aws rds restore-db-instance-from-db-snapshot --region <region-name> --db-instance-identifier <DB-Name-Encrypted> --db-snapshot-identifier <DB-Snapshot-Name-Encrypted> ``` 6. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region, Output will return database instance identifier name Select encrypted database name that we just created DB-Name-Encrypted. ``` aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier' ``` 7. Run again `describe-db-instances` command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True`. ``` aws rds describe-db-instances --region <region-name> --db-instance-identifier <DB-Name-Encrypted> --query 'DBInstances[*].StorageEncrypted' ```",
+          "AuditProcedure": "**From Console:**  1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/ 2. In the navigation pane, under RDS dashboard, click `Databases`. 3. Select the RDS Instance that you want to examine 4. Click `Instance Name` to see details, then click on `Configuration` tab. 5. Under Configuration Details section, In Storage pane search for the `Encryption Enabled` Status. 6. If the current status is set to `Disabled`, Encryption is not enabled for the selected RDS Instance database instance. 7. Repeat steps 3 to 7 to verify encryption status of other RDS Instance in same region. 8. Change region from the top of the navigation bar and repeat audit for other regions.  **From Command Line:**  1. Run `describe-db-instances` command to list all RDS Instance database names, available in the selected AWS region, Output will return each Instance database identifier-name.  ``` aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run again `describe-db-instances` command using the RDS Instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True` Or `False`. ``` aws rds describe-db-instances --region <region-name> --db-instance-identifier <DB-Name> --query 'DBInstances[*].StorageEncrypted' ``` 3. If the StorageEncrypted parameter value is `False`, Encryption is not enabled for the selected RDS database instance. 4. Repeat steps 1 to 3 for auditing each RDS Instance and change Region to verify for other regions",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html:https://aws.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/#:~:text=With%20RDS%2Dencrypted%20resources%2C%20data,transparent%20to%20your%20database%20engine.:https://aws.amazon.com/rds/features/security/"
         }
@@ -606,10 +607,10 @@
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
           "Description": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).",
-          "RationaleStatement": "The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, \n\n- ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected\n\n- ensuring that a multi-regions trail exists will ensure that `Global Service Logging` is enabled for a trail by default to capture recording of events generated on \nAWS global services\n\n- for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account",
-          "ImpactStatement": "S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features:\n\n1. https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html",
-          "RemediationProcedure": "Perform the following to enable global (Multi-region) CloudTrail logging:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. Click on _Trails_ on the left navigation pane\n3. Click `Get Started Now` , if presented\n - Click `Add new trail` \n - Enter a trail name in the `Trail name` box\n - Set the `Apply trail to all regions` option to `Yes` \n - Specify an S3 bucket name in the `S3 bucket` box\n - Click `Create` \n4. If 1 or more trails already exist, select the target trail to enable for global logging\n5. Click the edit icon (pencil) next to `Apply trail to all regions` , Click `Yes` and Click `Save`.\n6. Click the edit icon (pencil) next to `Management Events` click `All` for setting `Read/Write Events` and Click `Save`.\n\n**From Command Line:**\n```\naws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail \naws cloudtrail update-trail --name <trail_name> --is-multi-region-trail\n```\n\nNote: Creating CloudTrail via CLI without providing any overriding options configures `Management Events` to set `All` type of `Read/Writes` by default.",
-          "AuditProcedure": "Perform the following to determine if CloudTrail is enabled for all regions:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. Click on `Trails` on the left navigation pane\n - You will be presented with a list of trails across all regions\n3. Ensure at least one Trail has `All` specified in the `Region` column\n4. Click on a trail via the link in the _Name_ column\n5. Ensure `Logging` is set to `ON` \n6. Ensure `Apply trail to all regions` is set to `Yes`\n7. In section `Management Events` ensure `Read/Write Events` set to `ALL`\n\n**From Command Line:**\n```\n aws cloudtrail describe-trails\n```\nEnsure `IsMultiRegionTrail` is set to `true` \n```\naws cloudtrail get-trail-status --name <trailname shown in describe-trails>\n```\nEnsure `IsLogging` is set to `true`\n```\naws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>\n```\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`",
+          "RationaleStatement": "The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally,   - ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected  - ensuring that a multi-regions trail exists will ensure that `Global Service Logging` is enabled for a trail by default to capture recording of events generated on  AWS global services  - for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account",
+          "ImpactStatement": "S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features:  1. https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html",
+          "RemediationProcedure": "Perform the following to enable global (Multi-region) CloudTrail logging:  **From Console:**  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on _Trails_ on the left navigation pane 3. Click `Get Started Now` , if presented  - Click `Add new trail`   - Enter a trail name in the `Trail name` box  - Set the `Apply trail to all regions` option to `Yes`   - Specify an S3 bucket name in the `S3 bucket` box  - Click `Create`  4. If 1 or more trails already exist, select the target trail to enable for global logging 5. Click the edit icon (pencil) next to `Apply trail to all regions` , Click `Yes` and Click `Save`. 6. Click the edit icon (pencil) next to `Management Events` click `All` for setting `Read/Write Events` and Click `Save`.  **From Command Line:** ``` aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail  aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail ```  Note: Creating CloudTrail via CLI without providing any overriding options configures `Management Events` to set `All` type of `Read/Writes` by default.",
+          "AuditProcedure": "Perform the following to determine if CloudTrail is enabled for all regions:  **From Console:**  1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane  - You will be presented with a list of trails across all regions 3. Ensure at least one Trail has `All` specified in the `Region` column 4. Click on a trail via the link in the _Name_ column 5. Ensure `Logging` is set to `ON`  6. Ensure `Apply trail to all regions` is set to `Yes` 7. In section `Management Events` ensure `Read/Write Events` set to `ALL`  **From Command Line:** ```  aws cloudtrail describe-trails ``` Ensure `IsMultiRegionTrail` is set to `true`  ``` aws cloudtrail get-trail-status --name <trailname shown in describe-trails> ``` Ensure `IsLogging` is set to `true` ``` aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails> ``` Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html#cloud-trail-supported-services-data-events"
         }
@@ -629,8 +630,8 @@
           "Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.",
           "RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/`\n5. Once the Cloudtrail is selected, check the `Write` event checkbox, so that `object-level` logging for Write events is enabled.\n6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.\n\n**From Command Line:**\n\n1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier:\n```\naws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ \"ReadWriteType\": \"WriteOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::<s3-bucket-name>/\"] }] }]'\n```\n2. The command output will be `object-level` event trail configuration.\n3. If you want to enable it for all buckets at once then change Values parameter to `[\"arn:aws:s3\"]` in command given above.\n4. Repeat step 1 for each s3 bucket to update `object-level` logging of write events.\n5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.",
-          "AuditProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to CloudTrail dashboard at `https://console.aws.amazon.com/cloudtrail/`\n2. In the left panel, click `Trails` and then click on the CloudTrail Name that you want to examine.\n3. Review `General details`\n4. Confirm that `Multi-region trail` is set to `Yes`\n5. Scroll down to `Data events`\n6. Confirm that it reads:\nData events: S3\nBucket Name: All current and future S3 buckets\nRead: Enabled\nWrite: Enabled\n7. Repeat steps 2 to 6 to verify that Multi-region trail and Data events logging of S3 buckets in CloudTrail.\nIf the CloudTrails do not have multi-region and data events configured for S3 refer to the remediation below.\n\n**From Command Line:**\n\n1. Run `list-trails` command to list the names of all Amazon CloudTrail trails currently available in all AWS regions:\n```\naws cloudtrail list-trails\n```\n2. The command output will be a list of all the trail names to include.\n\"TrailARN\": \"arn:aws:cloudtrail:<region>:<account#>:trail/<trailname>\",\n\"Name\": \"<trailname>\",\n\"HomeRegion\": \"<region>\"\n3. Next run 'get-trail- command to determine Multi-region.\n```\naws cloudtrail get-trail --name <trailname> --region <region_name>\n```\n4. The command output should include:\n\"IsMultiRegionTrail\": true,\n5. Next run `get-event-selectors` command using the `Name` of the trail and the `region` returned in step 2 to determine if Data events logging feature is enabled within the selected CloudTrail trail for all S3 buckets:\n```\naws cloudtrail get-event-selectors --region <HomeRegion> --trail-name <trailname> --query EventSelectors[*].DataResources[]\n```\n6. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector.\n\"Type\": \"AWS::S3::Object\",\n \"Values\": [\n \"arn:aws:s3\"\n7. If the `get-event-selectors` command returns an empty array '[]', the Data events are not included in the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded.\n8. Repeat steps 1 to 5 for auditing each CloudTrail to determine if Data events for S3 are covered.\nIf Multi-region is not set to true and the Data events does not show S3 defined as shown refer to the remediation procedure below.",
+          "RemediationProcedure": "**From Console:**  1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the `Write` event checkbox, so that `object-level` logging for Write events is enabled. 6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.  **From Command Line:**  1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ \"ReadWriteType\": \"WriteOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::<s3-bucket-name>/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at once then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of write events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.",
+          "AuditProcedure": "**From Console:**  1. Login to the AWS Management Console and navigate to CloudTrail dashboard at `https://console.aws.amazon.com/cloudtrail/` 2. In the left panel, click `Trails` and then click on the CloudTrail Name that you want to examine. 3. Review `General details` 4. Confirm that `Multi-region trail` is set to `Yes` 5. Scroll down to `Data events` 6. Confirm that it reads: Data events: S3 Bucket Name: All current and future S3 buckets Read: Enabled Write: Enabled 7. Repeat steps 2 to 6 to verify that Multi-region trail and Data events logging of S3 buckets in CloudTrail. If the CloudTrails do not have multi-region and data events configured for S3 refer to the remediation below.  **From Command Line:**  1. Run `list-trails` command to list the names of all Amazon CloudTrail trails currently available in all AWS regions: ``` aws cloudtrail list-trails ``` 2. The command output will be a list of all the trail names to include. \"TrailARN\": \"arn:aws:cloudtrail:<region>:<account#>:trail/<trailname>\", \"Name\": \"<trailname>\", \"HomeRegion\": \"<region>\" 3. Next run 'get-trail- command to determine Multi-region. ``` aws cloudtrail get-trail --name <trailname> --region <region_name> ``` 4. The command output should include: \"IsMultiRegionTrail\": true, 5. Next run `get-event-selectors` command using the `Name` of the trail and the `region` returned in step 2 to determine if Data events logging feature is enabled within the selected CloudTrail trail for all S3 buckets: ``` aws cloudtrail get-event-selectors --region <HomeRegion> --trail-name <trailname> --query EventSelectors[*].DataResources[] ``` 6. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. \"Type\": \"AWS::S3::Object\",  \"Values\": [  \"arn:aws:s3\" 7. If the `get-event-selectors` command returns an empty array '[]', the Data events are not included in the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 8. Repeat steps 1 to 5 for auditing each CloudTrail to determine if Data events for S3 are covered. If Multi-region is not set to true and the Data events does not show S3 defined as shown refer to the remediation procedure below.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html"
         }
@@ -650,8 +651,8 @@
           "Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.",
           "RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/`\n5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled.\n6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.\n\n**From Command Line:**\n1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier:\n```\naws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::<s3-bucket-name>/\"] }] }]'\n```\n2. The command output will be `object-level` event trail configuration.\n3. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above.\n4. Repeat step 1 for each s3 bucket to update `object-level` logging of read events.\n5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.",
-          "AuditProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. If the current status for `Object-level` logging is set to `Disabled`, then object-level logging of read events for the selected s3 bucket is not set.\n5. If the current status for `Object-level` logging is set to `Enabled`, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set.\n6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events of your other S3 buckets.\n\n**From Command Line:**\n1. Run `describe-trails` command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region:\n```\naws cloudtrail describe-trails --region <region-name> --output table --query trailList[*].Name\n```\n2. The command output will be table of the requested trail names.\n3. Run `get-event-selectors` command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources:\n```\naws cloudtrail get-event-selectors --region <region-name> --trail-name <trail-name> --query EventSelectors[*].DataResources[]\n```\n4. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector.\n5. If the `get-event-selectors` command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded.\n6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events.\n7. Change the AWS region by updating the `--region` command parameter and perform the audit process for other regions.",
+          "RemediationProcedure": "**From Console:**  1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled. 6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.  **From Command Line:** 1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::<s3-bucket-name>/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of read events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.",
+          "AuditProcedure": "**From Console:**  1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. If the current status for `Object-level` logging is set to `Disabled`, then object-level logging of read events for the selected s3 bucket is not set. 5. If the current status for `Object-level` logging is set to `Enabled`, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set. 6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events of your other S3 buckets.  **From Command Line:** 1. Run `describe-trails` command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region: ``` aws cloudtrail describe-trails --region <region-name> --output table --query trailList[*].Name ``` 2. The command output will be table of the requested trail names. 3. Run `get-event-selectors` command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources: ``` aws cloudtrail get-event-selectors --region <region-name> --trail-name <trail-name> --query EventSelectors[*].DataResources[] ``` 4. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. 5. If the `get-event-selectors` command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events. 7. Change the AWS region by updating the `--region` command parameter and perform the audit process for other regions.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html"
         }
@@ -671,8 +672,8 @@
           "Description": "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.",
           "RationaleStatement": "Enabling log file validation will provide additional integrity checking of CloudTrail logs.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to enable log file validation on a given trail:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. Click on `Trails` on the left navigation pane\n3. Click on target trail\n4. Within the `General details` section click `edit`\n5. Under the `Advanced settings` section\n6. Check the enable box under `Log file validation` \n7. Click `Save changes` \n\n**From Command Line:**\n```\naws cloudtrail update-trail --name <trail_name> --enable-log-file-validation\n```\nNote that periodic validation of logs using these digests can be performed by running the following command:\n```\naws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>\n```",
-          "AuditProcedure": "Perform the following on each trail to determine if log file validation is enabled:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. Click on `Trails` on the left navigation pane\n3. For Every Trail:\n- Click on a trail via the link in the _Name_ column\n- Under the `General details` section, ensure `Log file validation` is set to `Enabled` \n\n**From Command Line:**\n```\naws cloudtrail describe-trails\n```\nEnsure `LogFileValidationEnabled` is set to `true` for each trail",
+          "RemediationProcedure": "Perform the following to enable log file validation on a given trail:  **From Console:**  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. Click on target trail 4. Within the `General details` section click `edit` 5. Under the `Advanced settings` section 6. Check the enable box under `Log file validation`  7. Click `Save changes`   **From Command Line:** ``` aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation ``` Note that periodic validation of logs using these digests can be performed by running the following command: ``` aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time> ```",
+          "AuditProcedure": "Perform the following on each trail to determine if log file validation is enabled:  **From Console:**  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. For Every Trail: - Click on a trail via the link in the _Name_ column - Under the `General details` section, ensure `Log file validation` is set to `Enabled`   **From Command Line:** ``` aws cloudtrail describe-trails ``` Ensure `LogFileValidationEnabled` is set to `true` for each trail",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html"
         }
@@ -692,8 +693,8 @@
           "Description": "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.",
           "RationaleStatement": "Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:\n\n1. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home)\n2. Right-click on the bucket and click Properties\n3. In the `Properties` pane, click the `Permissions` tab.\n4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.\n5. Select the row that grants permission to `Everyone` or `Any Authenticated User` \n6. Uncheck all the permissions granted to `Everyone` or `Any Authenticated User` (click `x` to delete the row).\n7. Click `Save` to save the ACL.\n8. If the `Edit bucket policy` button is present, click it.\n9. Remove any `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}.",
-          "AuditProcedure": "Perform the following to determine if any public access is granted to an S3 bucket via an ACL or S3 bucket policy:\n\n**From Console:**\n\n1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home)\n2. In the `API activity history` pane on the left, click `Trails` \n3. In the `Trails` pane, note the bucket names in the `S3 bucket` column\n4. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home)\n5. For each bucket noted in step 3, right-click on the bucket and click `Properties` \n6. In the `Properties` pane, click the `Permissions` tab.\n7. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.\n8. Ensure no rows exists that have the `Grantee` set to `Everyone` or the `Grantee` set to `Any Authenticated User.` \n9. If the `Edit bucket policy` button is present, click it to review the bucket policy.\n10. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}\n\n**From Command Line:**\n\n1. Get the name of the S3 bucket that CloudTrail is logging to:\n```\n aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'\n```\n2. Ensure the `AllUsers` principal is not granted privileges to that `<bucket>` :\n```\n aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/AllUsers` ]'\n```\n3. Ensure the `AuthenticatedUsers` principal is not granted privileges to that `<bucket>`:\n```\n aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/Authenticated Users` ]'\n```\n4. Get the S3 Bucket Policy\n```\n aws s3api get-bucket-policy --bucket <s3_bucket_for_cloudtrail> \n```\n5. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}\n\n**Note:** Principal set to \"\\*\" or {\"AWS\" : \"\\*\"} allows anonymous access.",
+          "RemediationProcedure": "Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:  1. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 2. Right-click on the bucket and click Properties 3. In the `Properties` pane, click the `Permissions` tab. 4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 5. Select the row that grants permission to `Everyone` or `Any Authenticated User`  6. Uncheck all the permissions granted to `Everyone` or `Any Authenticated User` (click `x` to delete the row). 7. Click `Save` to save the ACL. 8. If the `Edit bucket policy` button is present, click it. 9. Remove any `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}.",
+          "AuditProcedure": "Perform the following to determine if any public access is granted to an S3 bucket via an ACL or S3 bucket policy:  **From Console:**  1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the `API activity history` pane on the left, click `Trails`  3. In the `Trails` pane, note the bucket names in the `S3 bucket` column 4. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 5. For each bucket noted in step 3, right-click on the bucket and click `Properties`  6. In the `Properties` pane, click the `Permissions` tab. 7. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 8. Ensure no rows exists that have the `Grantee` set to `Everyone` or the `Grantee` set to `Any Authenticated User.`  9. If the `Edit bucket policy` button is present, click it to review the bucket policy. 10. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}  **From Command Line:**  1. Get the name of the S3 bucket that CloudTrail is logging to: ```  aws cloudtrail describe-trails --query 'trailList[*].S3BucketName' ``` 2. Ensure the `AllUsers` principal is not granted privileges to that `<bucket>` : ```  aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/AllUsers` ]' ``` 3. Ensure the `AuthenticatedUsers` principal is not granted privileges to that `<bucket>`: ```  aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/Authenticated Users` ]' ``` 4. Get the S3 Bucket Policy ```  aws s3api get-bucket-policy --bucket <s3_bucket_for_cloudtrail>  ``` 5. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}  **Note:** Principal set to \"\\*\" or {\"AWS\" : \"\\*\"} allows anonymous access.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html"
         }
@@ -710,11 +711,11 @@
           "Section": "3. Logging",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.\n\nNote: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution.",
+          "Description": "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.  Note: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution.",
           "RationaleStatement": "Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.",
-          "ImpactStatement": "Note: By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:\n\n1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html",
-          "RemediationProcedure": "Perform the following to establish the prescribed state:\n\n**From Console:**\n\n1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/`\n2. Select the `Trail` the needs to be updated.\n3. Scroll down to `CloudWatch Logs`\n4. Click `Edit`\n5. Under `CloudWatch Logs` click the box `Enabled`\n6. Under `Log Group` pick new or select an existing log group\n7. Edit the `Log group name` to match the CloudTrail or pick the existing CloudWatch Group.\n8. Under `IAM Role` pick new or select an existing.\n9. Edit the `Role name` to match the CloudTrail or pick the existing IAM Role.\n10. Click `Save changes.\n\n**From Command Line:**\n```\naws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-group-arn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure CloudTrail is configured as prescribed:\n\n**From Console:**\n\n1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/`\n2. Under `Trails` , click on the CloudTrail you wish to evaluate\n3. Under the `CloudWatch Logs` section.\n4. Ensure a `CloudWatch Logs` log group is configured and listed.\n5. Under `General details` confirm `Last log file delivered` has a recent (~one day old) timestamp.\n\n**From Command Line:**\n\n1. Run the following command to get a listing of existing trails:\n```\n aws cloudtrail describe-trails\n```\n2. Ensure `CloudWatchLogsLogGroupArn` is not empty and note the value of the `Name` property.\n3. Using the noted value of the `Name` property, run the following command:\n```\n aws cloudtrail get-trail-status --name <trail_name>\n```\n4. Ensure the `LatestcloudwatchLogdDeliveryTime` property is set to a recent (~one day old) timestamp.\n\nIf the `CloudWatch Logs` log group is not setup and the delivery time is not recent refer to the remediation below.",
+          "ImpactStatement": "Note: By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:  1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html",
+          "RemediationProcedure": "Perform the following to establish the prescribed state:  **From Console:**  1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Select the `Trail` the needs to be updated. 3. Scroll down to `CloudWatch Logs` 4. Click `Edit` 5. Under `CloudWatch Logs` click the box `Enabled` 6. Under `Log Group` pick new or select an existing log group 7. Edit the `Log group name` to match the CloudTrail or pick the existing CloudWatch Group. 8. Under `IAM Role` pick new or select an existing. 9. Edit the `Role name` to match the CloudTrail or pick the existing IAM Role. 10. Click `Save changes.  **From Command Line:** ``` aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-group-arn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn> ```",
+          "AuditProcedure": "Perform the following to ensure CloudTrail is configured as prescribed:  **From Console:**  1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Under `Trails` , click on the CloudTrail you wish to evaluate 3. Under the `CloudWatch Logs` section. 4. Ensure a `CloudWatch Logs` log group is configured and listed. 5. Under `General details` confirm `Last log file delivered` has a recent (~one day old) timestamp.  **From Command Line:**  1. Run the following command to get a listing of existing trails: ```  aws cloudtrail describe-trails ``` 2. Ensure `CloudWatchLogsLogGroupArn` is not empty and note the value of the `Name` property. 3. Using the noted value of the `Name` property, run the following command: ```  aws cloudtrail get-trail-status --name <trail_name> ``` 4. Ensure the `LatestcloudwatchLogdDeliveryTime` property is set to a recent (~one day old) timestamp.  If the `CloudWatch Logs` log group is not setup and the delivery time is not recent refer to the remediation below.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html"
         }
@@ -734,8 +735,8 @@
           "Description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.",
           "RationaleStatement": "The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.",
           "ImpactStatement": "It is recommended AWS Config be enabled in all regions.",
-          "RemediationProcedure": "To implement AWS Config configuration:\n\n**From Console:**\n\n1. Select the region you want to focus on in the top right of the console\n2. Click `Services` \n3. Click `Config` \n4. Define which resources you want to record in the selected region\n5. Choose to include global resources (IAM resources)\n6. Specify an S3 bucket in the same account or in another managed AWS account\n7. Create an SNS Topic from the same AWS account or another managed AWS account\n\n**From Command Line:**\n\n1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html).\n2. Run this command to set up the configuration recorder\n```\naws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole\n```\n3. Run this command to start the configuration recorder:\n```\nstart-configuration-recorder --configuration-recorder-name <value>\n```",
-          "AuditProcedure": "Process to evaluate AWS Config configuration per region\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/).\n2. On the top right of the console select target Region.\n3. If presented with Setup AWS Config - follow remediation procedure:\n4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears.\n5. Ensure 1 or both check-boxes under \"All Resources\" is checked.\n - Include global resources related to IAM resources - which needs to be enabled in 1 region only\n6. Ensure the correct S3 bucket has been defined.\n7. Ensure the correct SNS topic has been defined.\n8. Repeat steps 2 to 7 for each region.\n\n**From Command Line:**\n\n1. Run this command to show all AWS Config recorders and their properties:\n```\naws configservice describe-configuration-recorders\n```\n2. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`\n\nNote: There is one more parameter \"ResourceTypes\" in recordingGroup object. We don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])\n\nSample Output:\n\n```\n{\n \"ConfigurationRecorders\": [\n {\n \"recordingGroup\": {\n \"allSupported\": true,\n \"resourceTypes\": [],\n \"includeGlobalResourceTypes\": true\n },\n \"roleARN\": \"arn:aws:iam::<AWS_Account_ID>:role/service-role/<config-role-name>\",\n \"name\": \"default\"\n }\n ]\n}\n```\n\n3. Run this command to show the status for all AWS Config recorders:\n```\naws configservice describe-configuration-recorder-status\n```\n4. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`",
+          "RemediationProcedure": "To implement AWS Config configuration:  **From Console:**  1. Select the region you want to focus on in the top right of the console 2. Click `Services`  3. Click `Config`  4. Define which resources you want to record in the selected region 5. Choose to include global resources (IAM resources) 6. Specify an S3 bucket in the same account or in another managed AWS account 7. Create an SNS Topic from the same AWS account or another managed AWS account  **From Command Line:**  1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html). 2. Run this command to set up the configuration recorder ``` aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole ``` 3. Run this command to start the configuration recorder: ``` start-configuration-recorder --configuration-recorder-name <value> ```",
+          "AuditProcedure": "Process to evaluate AWS Config configuration per region  **From Console:**  1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/). 2. On the top right of the console select target Region. 3. If presented with Setup AWS Config - follow remediation procedure: 4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears. 5. Ensure 1 or both check-boxes under \"All Resources\" is checked.  - Include global resources related to IAM resources - which needs to be enabled in 1 region only 6. Ensure the correct S3 bucket has been defined. 7. Ensure the correct SNS topic has been defined. 8. Repeat steps 2 to 7 for each region.  **From Command Line:**  1. Run this command to show all AWS Config recorders and their properties: ``` aws configservice describe-configuration-recorders ``` 2. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`  Note: There is one more parameter \"ResourceTypes\" in recordingGroup object. We don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])  Sample Output:  ``` {  \"ConfigurationRecorders\": [  {  \"recordingGroup\": {  \"allSupported\": true,  \"resourceTypes\": [],  \"includeGlobalResourceTypes\": true  },  \"roleARN\": \"arn:aws:iam::<AWS_Account_ID>:role/service-role/<config-role-name>\",  \"name\": \"default\"  }  ] } ```  3. Run this command to show the status for all AWS Config recorders: ``` aws configservice describe-configuration-recorder-status ``` 4. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html"
         }
@@ -755,8 +756,8 @@
           "Description": "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.",
           "RationaleStatement": "By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to enable S3 bucket logging:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3).\n2. Under `All Buckets` click on the target S3 bucket\n3. Click on `Properties` in the top right of the console\n4. Under `Bucket:` <s3\\_bucket\\_for\\_cloudtrail> click on `Logging` \n5. Configure bucket logging\n - Click on the `Enabled` checkbox\n - Select Target Bucket from list\n - Enter a Target Prefix\n6. Click `Save`.\n\n**From Command Line:**\n\n1. Get the name of the S3 bucket that CloudTrail is logging to:\n```\naws cloudtrail describe-trails --region <region-name> --query trailList[*].S3BucketName\n```\n2. Copy and add target bucket name at `<Logging_BucketName>`, Prefix for logfile at `<LogFilePrefix>` and optionally add an email address in the following template and save it as `<FileName.Json>`:\n```\n{\n \"LoggingEnabled\": {\n \"TargetBucket\": \"<Logging_BucketName>\",\n \"TargetPrefix\": \"<LogFilePrefix>\",\n \"TargetGrants\": [\n {\n \"Grantee\": {\n \"Type\": \"AmazonCustomerByEmail\",\n \"EmailAddress\": \"<EmailID>\"\n },\n \"Permission\": \"FULL_CONTROL\"\n }\n ]\n } \n}\n```\n3. Run the `put-bucket-logging` command with bucket name and `<FileName.Json>` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html):\n```\naws s3api put-bucket-logging --bucket <BucketName> --bucket-logging-status file://<FileName.Json>\n```",
-          "AuditProcedure": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:\n\n**From Console:**\n\n1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home)\n2. In the API activity history pane on the left, click Trails\n3. In the Trails pane, note the bucket names in the S3 bucket column\n4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3).\n5. Under `All Buckets` click on a target S3 bucket\n6. Click on `Properties` in the top right of the console\n7. Under `Bucket:` _ `<bucket_name>` _ click on `Logging` \n8. Ensure `Enabled` is checked.\n\n**From Command Line:**\n\n1. Get the name of the S3 bucket that CloudTrail is logging to:\n``` \naws cloudtrail describe-trails --query 'trailList[*].S3BucketName' \n```\n2. Ensure Bucket Logging is enabled:\n```\naws s3api get-bucket-logging --bucket <s3_bucket_for_cloudtrail>\n```\nEnsure command does not returns empty output.\n\nSample Output for a bucket with logging enabled:\n\n```\n{\n \"LoggingEnabled\": {\n \"TargetPrefix\": \"<Prefix_Test>\",\n \"TargetBucket\": \"<Bucket_name_for_Storing_Logs>\"\n }\n}\n```",
+          "RemediationProcedure": "Perform the following to enable S3 bucket logging:  **From Console:**  1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 2. Under `All Buckets` click on the target S3 bucket 3. Click on `Properties` in the top right of the console 4. Under `Bucket:` <s3\\_bucket\\_for\\_cloudtrail> click on `Logging`  5. Configure bucket logging  - Click on the `Enabled` checkbox  - Select Target Bucket from list  - Enter a Target Prefix 6. Click `Save`.  **From Command Line:**  1. Get the name of the S3 bucket that CloudTrail is logging to: ``` aws cloudtrail describe-trails --region <region-name> --query trailList[*].S3BucketName ``` 2. Copy and add target bucket name at `<Logging_BucketName>`, Prefix for logfile at `<LogFilePrefix>` and optionally add an email address in the following template and save it as `<FileName.Json>`: ``` {  \"LoggingEnabled\": {  \"TargetBucket\": \"<Logging_BucketName>\",  \"TargetPrefix\": \"<LogFilePrefix>\",  \"TargetGrants\": [  {  \"Grantee\": {  \"Type\": \"AmazonCustomerByEmail\",  \"EmailAddress\": \"<EmailID>\"  },  \"Permission\": \"FULL_CONTROL\"  }  ]  }  } ``` 3. Run the `put-bucket-logging` command with bucket name and `<FileName.Json>` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html): ``` aws s3api put-bucket-logging --bucket <BucketName> --bucket-logging-status file://<FileName.Json> ```",
+          "AuditProcedure": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:  **From Console:**  1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the API activity history pane on the left, click Trails 3. In the Trails pane, note the bucket names in the S3 bucket column 4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 5. Under `All Buckets` click on a target S3 bucket 6. Click on `Properties` in the top right of the console 7. Under `Bucket:` _ `<bucket_name>` _ click on `Logging`  8. Ensure `Enabled` is checked.  **From Command Line:**  1. Get the name of the S3 bucket that CloudTrail is logging to: ```  aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'  ``` 2. Ensure Bucket Logging is enabled: ``` aws s3api get-bucket-logging --bucket <s3_bucket_for_cloudtrail> ``` Ensure command does not returns empty output.  Sample Output for a bucket with logging enabled:  ``` {  \"LoggingEnabled\": {  \"TargetPrefix\": \"<Prefix_Test>\",  \"TargetBucket\": \"<Bucket_name_for_Storing_Logs>\"  } } ```",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html"
         }
@@ -776,9 +777,9 @@
           "Description": "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.",
           "RationaleStatement": "Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.",
           "ImpactStatement": "Customer created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information.",
-          "RemediationProcedure": "Perform the following to configure CloudTrail to use SSE-KMS:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. In the left navigation pane, choose `Trails` .\n3. Click on a Trail\n4. Under the `S3` section click on the edit button (pencil icon)\n5. Click `Advanced` \n6. Select an existing CMK from the `KMS key Id` drop-down menu\n - Note: Ensure the CMK is located in the same region as the S3 bucket\n - Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided [here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html) for editing the selected CMK Key policy\n7. Click `Save` \n8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files.\n9. Click `Yes` \n\n**From Command Line:**\n```\naws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key>\naws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy>\n```",
-          "AuditProcedure": "Perform the following to determine if CloudTrail is configured to use SSE-KMS:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. In the left navigation pane, choose `Trails` .\n3. Select a Trail\n4. Under the `S3` section, ensure `Encrypt log files` is set to `Yes` and a KMS key ID is specified in the `KSM Key Id` field.\n\n**From Command Line:**\n\n1. Run the following command:\n```\n aws cloudtrail describe-trails \n```\n2. For each trail listed, SSE-KMS is enabled if the trail has a `KmsKeyId` property defined.",
-          "AdditionalInformation": "3 statements which need to be added to the CMK policy:\n\n1\\. Enable Cloudtrail to describe CMK properties\n```\n<pre class=\"programlisting\" style=\"font-style: normal;\">{\n \"Sid\": \"Allow CloudTrail access\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n },\n \"Action\": \"kms:DescribeKey\",\n \"Resource\": \"*\"\n}\n```\n2\\. Granting encrypt permissions\n```\n<pre class=\"programlisting\" style=\"font-style: normal;\">{\n \"Sid\": \"Allow CloudTrail to encrypt logs\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n },\n \"Action\": \"kms:GenerateDataKey*\",\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"kms:EncryptionContext:aws:cloudtrail:arn\": [\n \"arn:aws:cloudtrail:*:aws-account-id:trail/*\"\n ]\n }\n }\n}\n```\n3\\. Granting decrypt permissions\n```\n<pre class=\"programlisting\" style=\"font-style: normal;\">{\n \"Sid\": \"Enable CloudTrail log decrypt permissions\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::aws-account-id:user/username\"\n },\n \"Action\": \"kms:Decrypt\",\n \"Resource\": \"*\",\n \"Condition\": {\n \"Null\": {\n \"kms:EncryptionContext:aws:cloudtrail:arn\": \"false\"\n }\n }\n}\n```",
+          "RemediationProcedure": "Perform the following to configure CloudTrail to use SSE-KMS:  **From Console:**  1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Click on a Trail 4. Under the `S3` section click on the edit button (pencil icon) 5. Click `Advanced`  6. Select an existing CMK from the `KMS key Id` drop-down menu  - Note: Ensure the CMK is located in the same region as the S3 bucket  - Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided [here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html) for editing the selected CMK Key policy 7. Click `Save`  8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files. 9. Click `Yes`   **From Command Line:** ``` aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key> aws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy> ```",
+          "AuditProcedure": "Perform the following to determine if CloudTrail is configured to use SSE-KMS:  **From Console:**  1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Select a Trail 4. Under the `S3` section, ensure `Encrypt log files` is set to `Yes` and a KMS key ID is specified in the `KSM Key Id` field.  **From Command Line:**  1. Run the following command: ```  aws cloudtrail describe-trails  ``` 2. For each trail listed, SSE-KMS is enabled if the trail has a `KmsKeyId` property defined.",
+          "AdditionalInformation": "3 statements which need to be added to the CMK policy:  1\\. Enable Cloudtrail to describe CMK properties ``` <pre class=\"programlisting\" style=\"font-style: normal;\">{  \"Sid\": \"Allow CloudTrail access\",  \"Effect\": \"Allow\",  \"Principal\": {  \"Service\": \"cloudtrail.amazonaws.com\"  },  \"Action\": \"kms:DescribeKey\",  \"Resource\": \"*\" } ``` 2\\. Granting encrypt permissions ``` <pre class=\"programlisting\" style=\"font-style: normal;\">{  \"Sid\": \"Allow CloudTrail to encrypt logs\",  \"Effect\": \"Allow\",  \"Principal\": {  \"Service\": \"cloudtrail.amazonaws.com\"  },  \"Action\": \"kms:GenerateDataKey*\",  \"Resource\": \"*\",  \"Condition\": {  \"StringLike\": {  \"kms:EncryptionContext:aws:cloudtrail:arn\": [  \"arn:aws:cloudtrail:*:aws-account-id:trail/*\"  ]  }  } } ``` 3\\. Granting decrypt permissions ``` <pre class=\"programlisting\" style=\"font-style: normal;\">{  \"Sid\": \"Enable CloudTrail log decrypt permissions\",  \"Effect\": \"Allow\",  \"Principal\": {  \"AWS\": \"arn:aws:iam::aws-account-id:user/username\"  },  \"Action\": \"kms:Decrypt\",  \"Resource\": \"*\",  \"Condition\": {  \"Null\": {  \"kms:EncryptionContext:aws:cloudtrail:arn\": \"false\"  }  } } ```",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html:https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html"
         }
       ]
@@ -795,10 +796,10 @@
           "Profile": "Level 2",
           "AssessmentStatus": "Automated",
           "Description": "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.",
-          "RationaleStatement": "Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\nKeys should be rotated every year, or upon event that would result in the compromise of that key.",
+          "RationaleStatement": "Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. Keys should be rotated every year, or upon event that would result in the compromise of that key.",
           "ImpactStatement": "Creation, management, and storage of CMKs may require additional time from and administrator.",
-          "RemediationProcedure": "**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam).\n2. In the left navigation pane, choose `Customer managed keys` .\n3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT`\n4. Underneath the \"General configuration\" panel open the tab \"Key rotation\"\n5. Check the \"Automatically rotate this KMS key every year.\" checkbox\n\n**From Command Line:**\n\n1. Run the following command to enable key rotation:\n```\n aws kms enable-key-rotation --key-id <kms_key_id>\n```",
-          "AuditProcedure": "**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam).\n2. In the left navigation pane, choose `Customer managed keys`\n3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT`\n4. Underneath the `General configuration` panel open the tab `Key rotation`\n5. Ensure that the checkbox `Automatically rotate this KMS key every year.` is activated\n6. Repeat steps 3 - 5 for all customer managed CMKs where \"Key spec = SYMMETRIC_DEFAULT\"\n\n**From Command Line:**\n\n1. Run the following command to get a list of all keys and their associated `KeyIds` \n```\n aws kms list-keys\n```\n2. For each key, note the KeyId and run the following command\n```\ndescribe-key --key-id <kms_key_id>\n```\n3. If the response contains \"KeySpec = SYMMETRIC_DEFAULT\" run the following command\n```\n aws kms get-key-rotation-status --key-id <kms_key_id>\n```\n4. Ensure `KeyRotationEnabled` is set to `true`\n5. Repeat steps 2 - 4 for all remaining CMKs",
+          "RemediationProcedure": "**From Console:**  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` . 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the \"General configuration\" panel open the tab \"Key rotation\" 5. Check the \"Automatically rotate this KMS key every year.\" checkbox  **From Command Line:**  1. Run the following command to enable key rotation: ```  aws kms enable-key-rotation --key-id <kms_key_id> ```",
+          "AuditProcedure": "**From Console:**  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the `General configuration` panel open the tab `Key rotation` 5. Ensure that the checkbox `Automatically rotate this KMS key every year.` is activated 6. Repeat steps 3 - 5 for all customer managed CMKs where \"Key spec = SYMMETRIC_DEFAULT\"  **From Command Line:**  1. Run the following command to get a list of all keys and their associated `KeyIds`  ```  aws kms list-keys ``` 2. For each key, note the KeyId and run the following command ``` describe-key --key-id <kms_key_id> ``` 3. If the response contains \"KeySpec = SYMMETRIC_DEFAULT\" run the following command ```  aws kms get-key-rotation-status --key-id <kms_key_id> ``` 4. Ensure `KeyRotationEnabled` is set to `true` 5. Repeat steps 2 - 4 for all remaining CMKs",
           "AdditionalInformation": "",
           "References": "https://aws.amazon.com/kms/pricing/:https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final"
         }
@@ -817,9 +818,9 @@
           "AssessmentStatus": "Automated",
           "Description": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.",
           "RationaleStatement": "VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.",
-          "ImpactStatement": "By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:\n\n1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html",
-          "RemediationProcedure": "Perform the following to determine if VPC Flow logs is enabled:\n\n**From Console:**\n\n1. Sign into the management console\n2. Select `Services` then `VPC` \n3. In the left navigation pane, select `Your VPCs` \n4. Select a VPC\n5. In the right pane, select the `Flow Logs` tab.\n6. If no Flow Log exists, click `Create Flow Log` \n7. For Filter, select `Reject`\n8. Enter in a `Role` and `Destination Log Group` \n9. Click `Create Log Flow` \n10. Click on `CloudWatch Logs Group` \n\n**Note:** Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.\n\n**From Command Line:**\n\n1. Create a policy document and name it as `role_policy_document.json` and paste the following content:\n```\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"test\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n}\n```\n2. Create another policy document and name it as `iam_policy.json` and paste the following content:\n```\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\":[\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:DescribeLogGroups\",\n \"logs:DescribeLogStreams\",\n \"logs:PutLogEvents\",\n \"logs:GetLogEvents\",\n \"logs:FilterLogEvents\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}\n```\n3. Run the below command to create an IAM role:\n```\naws iam create-role --role-name <aws_support_iam_role> --assume-role-policy-document file://<file-path>role_policy_document.json \n```\n4. Run the below command to create an IAM policy:\n```\naws iam create-policy --policy-name <ami-policy-name> --policy-document file://<file-path>iam-policy.json\n```\n5. Run `attach-group-policy` command using the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the command succeeds, no output is returned):\n```\naws iam attach-group-policy --policy-arn arn:aws:iam::<aws-account-id>:policy/<iam-policy-name> --group-name <group-name>\n```\n6. Run `describe-vpcs` to get the VpcId available in the selected region:\n```\naws ec2 describe-vpcs --region <region>\n```\n7. The command output should return the VPC Id available in the selected region.\n8. Run `create-flow-logs` to create a flow log for the vpc:\n```\naws ec2 create-flow-logs --resource-type VPC --resource-ids <vpc-id> --traffic-type REJECT --log-group-name <log-group-name> --deliver-logs-permission-arn <iam-role-arn>\n```\n9. Repeat step 8 for other vpcs available in the selected region.\n10. Change the region by updating --region and repeat remediation procedure for other vpcs.",
-          "AuditProcedure": "Perform the following to determine if VPC Flow logs are enabled:\n\n**From Console:**\n\n1. Sign into the management console\n2. Select `Services` then `VPC` \n3. In the left navigation pane, select `Your VPCs` \n4. Select a VPC\n5. In the right pane, select the `Flow Logs` tab.\n6. Ensure a Log Flow exists that has `Active` in the `Status` column.\n\n**From Command Line:**\n\n1. Run `describe-vpcs` command (OSX/Linux/UNIX) to list the VPC networks available in the current AWS region:\n```\naws ec2 describe-vpcs --region <region> --query Vpcs[].VpcId\n```\n2. The command output returns the `VpcId` available in the selected region.\n3. Run `describe-flow-logs` command (OSX/Linux/UNIX) using the VPC ID to determine if the selected virtual network has the Flow Logs feature enabled:\n```\naws ec2 describe-flow-logs --filter \"Name=resource-id,Values=<vpc-id>\"\n```\n4. If there are no Flow Logs created for the selected VPC, the command output will return an `empty list []`.\n5. Repeat step 3 for other VPCs available in the same region.\n6. Change the region by updating `--region` and repeat steps 1 - 5 for all the VPCs.",
+          "ImpactStatement": "By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:  1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html",
+          "RemediationProcedure": "Perform the following to determine if VPC Flow logs is enabled:  **From Console:**  1. Sign into the management console 2. Select `Services` then `VPC`  3. In the left navigation pane, select `Your VPCs`  4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. If no Flow Log exists, click `Create Flow Log`  7. For Filter, select `Reject` 8. Enter in a `Role` and `Destination Log Group`  9. Click `Create Log Flow`  10. Click on `CloudWatch Logs Group`   **Note:** Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.  **From Command Line:**  1. Create a policy document and name it as `role_policy_document.json` and paste the following content: ``` {  \"Version\": \"2012-10-17\",  \"Statement\": [  {  \"Sid\": \"test\",  \"Effect\": \"Allow\",  \"Principal\": {  \"Service\": \"ec2.amazonaws.com\"  },  \"Action\": \"sts:AssumeRole\"  }  ] } ``` 2. Create another policy document and name it as `iam_policy.json` and paste the following content: ``` {  \"Version\": \"2012-10-17\",  \"Statement\": [  {  \"Effect\": \"Allow\",  \"Action\":[  \"logs:CreateLogGroup\",  \"logs:CreateLogStream\",  \"logs:DescribeLogGroups\",  \"logs:DescribeLogStreams\",  \"logs:PutLogEvents\",  \"logs:GetLogEvents\",  \"logs:FilterLogEvents\"  ],  \"Resource\": \"*\"  }  ] } ``` 3. Run the below command to create an IAM role: ``` aws iam create-role --role-name <aws_support_iam_role> --assume-role-policy-document file://<file-path>role_policy_document.json  ``` 4. Run the below command to create an IAM policy: ``` aws iam create-policy --policy-name <ami-policy-name> --policy-document file://<file-path>iam-policy.json ``` 5. Run `attach-group-policy` command using the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the command succeeds, no output is returned): ``` aws iam attach-group-policy --policy-arn arn:aws:iam::<aws-account-id>:policy/<iam-policy-name> --group-name <group-name> ``` 6. Run `describe-vpcs` to get the VpcId available in the selected region: ``` aws ec2 describe-vpcs --region <region> ``` 7. The command output should return the VPC Id available in the selected region. 8. Run `create-flow-logs` to create a flow log for the vpc: ``` aws ec2 create-flow-logs --resource-type VPC --resource-ids <vpc-id> --traffic-type REJECT --log-group-name <log-group-name> --deliver-logs-permission-arn <iam-role-arn> ``` 9. Repeat step 8 for other vpcs available in the selected region. 10. Change the region by updating --region and repeat remediation procedure for other vpcs.",
+          "AuditProcedure": "Perform the following to determine if VPC Flow logs are enabled:  **From Console:**  1. Sign into the management console 2. Select `Services` then `VPC`  3. In the left navigation pane, select `Your VPCs`  4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. Ensure a Log Flow exists that has `Active` in the `Status` column.  **From Command Line:**  1. Run `describe-vpcs` command (OSX/Linux/UNIX) to list the VPC networks available in the current AWS region: ``` aws ec2 describe-vpcs --region <region> --query Vpcs[].VpcId ``` 2. The command output returns the `VpcId` available in the selected region. 3. Run `describe-flow-logs` command (OSX/Linux/UNIX) using the VPC ID to determine if the selected virtual network has the Flow Logs feature enabled: ``` aws ec2 describe-flow-logs --filter \"Name=resource-id,Values=<vpc-id>\" ``` 4. If there are no Flow Logs created for the selected VPC, the command output will return an `empty list []`. 5. Repeat step 3 for other VPCs available in the same region. 6. Change the region by updating `--region` and repeat steps 1 - 5 for all the VPCs.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html"
         }
@@ -838,10 +839,10 @@
           "AssessmentStatus": "Automated",
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.",
           "RationaleStatement": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.",
-          "ImpactStatement": "This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions.\n\nIf an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts.\n\nIn some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name \"cloudtrail_log_group_name\" --filter-name \"<unauthorized_api_calls_metric>\" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern \"{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") || ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") || ($.eventName!=\"HeadBucket\") }\"\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n**Note**: Capture the TopicArn displayed when creating the SNS Topic in Step 2.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn from step 2> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name \"unauthorized_api_calls_alarm\" --metric-name \"unauthorized_api_calls_metric\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with \"Name\":` note `<cloudtrail__name>`\n\n- From value associated with \"CloudWatchLogsLogGroupArn\" note <cloudtrail_log_group_name>\n\nExample: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*, <cloudtrail_log_group_name> would be NewGroup\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <\"Name\" as shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>` that you captured in step 1:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) || ($.sourceIPAddress!=delivery.logs.amazonaws.com) || ($.eventName!=HeadBucket) }\",\n```\n\n4. Note the \"filterName\" `<unauthorized_api_calls_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<unauthorized_api_calls_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName == `unauthorized_api_calls_metric`]\"\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "ImpactStatement": "This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions.  If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts.  In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"cloudtrail_log_group_name\" --filter-name \"<unauthorized_api_calls_metric>\" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern \"{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") || ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") || ($.eventName!=\"HeadBucket\") }\" ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. **Note**: Capture the TopicArn displayed when creating the SNS Topic in Step 2.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn from step 2> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"unauthorized_api_calls_alarm\" --metric-name \"unauthorized_api_calls_metric\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with \"Name\":` note `<cloudtrail__name>`  - From value associated with \"CloudWatchLogsLogGroupArn\" note <cloudtrail_log_group_name>  Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*, <cloudtrail_log_group_name> would be NewGroup  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <\"Name\" as shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>` that you captured in step 1:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) || ($.sourceIPAddress!=delivery.logs.amazonaws.com) || ($.eventName!=HeadBucket) }\", ```  4. Note the \"filterName\" `<unauthorized_api_calls_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<unauthorized_api_calls_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName == `unauthorized_api_calls_metric`]\" ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://aws.amazon.com/sns/:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -860,9 +861,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups.",
           "RationaleStatement": "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for security groups changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name \"<cloudtrail_log_group_name>\" --filter-name \"<security_group_changes_metric>\" --metric-transformations metricName= \"<security_group_changes_metric>\" ,metricNamespace=\"CISBenchmark\",metricValue=1 --filter-pattern \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\"\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name \"<sns_topic_name>\"\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn \"<sns_topic_arn>\" --protocol <protocol_for_sns> --notification-endpoint \"<sns_subscription_endpoints>\"\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name \"<security_group_changes_alarm>\" --metric-name \"<security_group_changes_metric>\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions \"<sns_topic_arn>\"\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\"\n```\n4. Note the `<security_group_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<security_group_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName== '<security_group_changes_metric>']\"\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for security groups changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"<cloudtrail_log_group_name>\" --filter-name \"<security_group_changes_metric>\" --metric-transformations metricName= \"<security_group_changes_metric>\" ,metricNamespace=\"CISBenchmark\",metricValue=1 --filter-pattern \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name \"<sns_topic_name>\" ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn \"<sns_topic_arn>\" --protocol <protocol_for_sns> --notification-endpoint \"<sns_subscription_endpoints>\" ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"<security_group_changes_alarm>\" --metric-name \"<security_group_changes_metric>\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions \"<sns_topic_arn>\" ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ``` 4. Note the `<security_group_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<security_group_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName== '<security_group_changes_metric>']\" ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -881,9 +882,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.",
           "RationaleStatement": "Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for NACL changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<nacl_changes_metric>` --metric-transformations metricName= `<nacl_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<nacl_changes_alarm>` --metric-name `<nacl_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }\"\n```\n4. Note the `<nacl_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<nacl_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<nacl_changes_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for NACL changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<nacl_changes_metric>` --metric-transformations metricName= `<nacl_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<nacl_changes_alarm>` --metric-name `<nacl_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }\" ``` 4. Note the `<nacl_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<nacl_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<nacl_changes_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -902,9 +903,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.",
           "RationaleStatement": "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<network_gw_changes_metric>` --metric-transformations metricName= `<network_gw_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<network_gw_changes_alarm>` --metric-name `<network_gw_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }\"\n```\n4. Note the `<network_gw_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<network_gw_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<network_gw_changes_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<network_gw_changes_metric>` --metric-transformations metricName= `<network_gw_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<network_gw_changes_alarm>` --metric-name `<network_gw_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }\" ``` 4. Note the `<network_gw_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<network_gw_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<network_gw_changes_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -923,9 +924,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.",
           "RationaleStatement": "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for route table changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<route_table_changes_metric>` --metric-transformations metricName= `<route_table_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<route_table_changes_alarm>` --metric-name `<route_table_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }\"\n```\n\n4. Note the `<route_table_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<route_table_changes_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<route_table_changes_metric>`]'\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for route table changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<route_table_changes_metric>` --metric-transformations metricName= `<route_table_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<route_table_changes_alarm>` --metric-name `<route_table_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }\" ```  4. Note the `<route_table_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<route_table_changes_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<route_table_changes_metric>`]' ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -944,9 +945,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.",
           "RationaleStatement": "Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for VPC changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<vpc_changes_metric>` --metric-transformations metricName= `<vpc_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<vpc_changes_alarm>` --metric-name `<vpc_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }\"\n```\n\n4. Note the `<vpc_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<vpc_changes_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<vpc_changes_metric>`]'\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for VPC changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<vpc_changes_metric>` --metric-transformations metricName= `<vpc_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<vpc_changes_alarm>` --metric-name `<vpc_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }\" ```  4. Note the `<vpc_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<vpc_changes_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<vpc_changes_metric>`]' ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -965,8 +966,8 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account.",
           "RationaleStatement": "Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for AWS Organizations changes and the `<cloudtrail_log_group_name>` taken from audit step 1:\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<organizations_changes>` --metric-transformations metricName= `<organizations_changes>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }'\n```\n**Note:** You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify:\n```\naws sns create-topic --name <sns_topic_name>\n```\n**Note:** you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2:\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n**Note:** you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2:\n```\naws cloudwatch put-metric-alarm --alarm-name `<organizations_changes>` --metric-name `<organizations_changes>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "1. Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n- Identify the log group name configured for use with active multi-region CloudTrail:\n- List all CloudTrails: \n```\naws cloudtrail describe-trails\n```\n- Identify Multi region Cloudtrails, Trails with `\"IsMultiRegionTrail\"` set to true\n- From value associated with CloudWatchLogsLogGroupArn note <cloudtrail_log_group_name>\n **Example:** for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*, <cloudtrail_log_group_name> would be NewGroup\n\n- Ensure Identified Multi region CloudTrail is active:\n```\naws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>\n```\nEnsure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events:\n```\naws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>\n```\n- Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to true and `ReadWriteType` set to `All`.\n\n2. Get a list of all associated metric filters for this <cloudtrail_log_group_name>:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }\"\n```\n4. Note the `<organizations_changes>` value associated with the filterPattern found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<organizations_changes>` captured in step 4:\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<organizations_changes>`]'\n```\n6. Note the AlarmActions value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic:\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\nExample of valid \"SubscriptionArn\": \n```\n\"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for AWS Organizations changes and the `<cloudtrail_log_group_name>` taken from audit step 1: ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<organizations_changes>` --metric-transformations metricName= `<organizations_changes>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }' ``` **Note:** You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify: ``` aws sns create-topic --name <sns_topic_name> ``` **Note:** you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2: ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ``` **Note:** you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2: ``` aws cloudwatch put-metric-alarm --alarm-name `<organizations_changes>` --metric-name `<organizations_changes>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "1. Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured: - Identify the log group name configured for use with active multi-region CloudTrail: - List all CloudTrails:  ``` aws cloudtrail describe-trails ``` - Identify Multi region Cloudtrails, Trails with `\"IsMultiRegionTrail\"` set to true - From value associated with CloudWatchLogsLogGroupArn note <cloudtrail_log_group_name>  **Example:** for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*, <cloudtrail_log_group_name> would be NewGroup  - Ensure Identified Multi region CloudTrail is active: ``` aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail> ``` Ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events: ``` aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails> ``` - Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to true and `ReadWriteType` set to `All`.  2. Get a list of all associated metric filters for this <cloudtrail_log_group_name>: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }\" ``` 4. Note the `<organizations_changes>` value associated with the filterPattern found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<organizations_changes>` captured in step 4: ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<organizations_changes>`]' ``` 6. Note the AlarmActions value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic: ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. Example of valid \"SubscriptionArn\":  ``` \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html"
         }
@@ -986,9 +987,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).",
           "RationaleStatement": "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the `<cloudtrail_log_group_name>` taken from audit step 1.\n\nUse Command: \n\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }'\n```\n\nOr (To reduce false positives incase Single Sign-On (SSO) is used in organization):\n\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<no_mfa_console_signin_alarm>` --metric-name `<no_mfa_console_signin_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all `CloudTrails`:\n\n```\naws cloudtrail describe-trails\n```\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region `CloudTrail` is active\n\n```\naws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>\n```\n\nEnsure in the output that `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region 'Cloudtrail' captures all Management Events\n\n```\naws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>\n```\n\nEnsure in the output there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }\"\n```\n\nOr (To reduce false positives incase Single Sign-On (SSO) is used in organization):\n\n```\n\"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }\"\n```\n\n4. Note the `<no_mfa_console_signin_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<no_mfa_console_signin_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<no_mfa_console_signin_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored\n-Filter pattern set to `{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\"}` reduces false alarms raised when user logs in via SSO account.",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the `<cloudtrail_log_group_name>` taken from audit step 1.  Use Command:   ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }' ```  Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):  ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<no_mfa_console_signin_alarm>` --metric-name `<no_mfa_console_signin_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all `CloudTrails`:  ``` aws cloudtrail describe-trails ```  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region `CloudTrail` is active  ``` aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail> ```  Ensure in the output that `IsLogging` is set to `TRUE`  - Ensure identified Multi-region 'Cloudtrail' captures all Management Events  ``` aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails> ```  Ensure in the output there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }\" ```  Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):  ``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }\" ```  4. Note the `<no_mfa_console_signin_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<no_mfa_console_signin_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<no_mfa_console_signin_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored -Filter pattern set to `{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\"}` reduces false alarms raised when user logs in via SSO account.",
           "References": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1007,9 +1008,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for 'root' login attempts.",
           "RationaleStatement": "Monitoring for 'root' account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for 'Root' account usage and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<root_usage_metric>` --metric-transformations metricName= `<root_usage_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<root_usage_alarm>` --metric-name `<root_usage_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails:\n\n`aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }\"\n```\n\n4. Note the `<root_usage_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<root_usage_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<root_usage_metric>`]'\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "**Configuring log metric filter and alarm on Multi-region (global) CloudTrail**\n\n- ensures that activities from all regions (used as well as unused) are monitored\n\n- ensures that activities on all supported global services are monitored\n\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for 'Root' account usage and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<root_usage_metric>` --metric-transformations metricName= `<root_usage_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<root_usage_alarm>` --metric-name `<root_usage_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails:  `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }\" ```  4. Note the `<root_usage_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<root_usage_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<root_usage_metric>`]' ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "**Configuring log metric filter and alarm on Multi-region (global) CloudTrail**  - ensures that activities from all regions (used as well as unused) are monitored  - ensures that activities on all supported global services are monitored  - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1028,9 +1029,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.",
           "RationaleStatement": "Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<iam_changes_metric>` --metric-transformations metricName= `<iam_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name `<iam_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails:\n\n`aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}\"\n```\n\n4. Note the `<iam_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<iam_changes_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<iam_changes_metric>`]'\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<iam_changes_metric>` --metric-transformations metricName= `<iam_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name `<iam_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails:  `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}\" ```  4. Note the `<iam_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<iam_changes_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<iam_changes_metric>`]' ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1049,9 +1050,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.",
           "RationaleStatement": "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<cloudtrail_cfg_changes_metric>` --metric-transformations metricName= `<cloudtrail_cfg_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<cloudtrail_cfg_changes_alarm>` --metric-name `<cloudtrail_cfg_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }\"\n```\n\n4. Note the `<cloudtrail_cfg_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<cloudtrail_cfg_changes_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<cloudtrail_cfg_changes_metric>`]'\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<cloudtrail_cfg_changes_metric>` --metric-transformations metricName= `<cloudtrail_cfg_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<cloudtrail_cfg_changes_alarm>` --metric-name `<cloudtrail_cfg_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }\" ```  4. Note the `<cloudtrail_cfg_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<cloudtrail_cfg_changes_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<cloudtrail_cfg_changes_metric>`]' ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1070,9 +1071,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.",
           "RationaleStatement": "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<console_signin_failure_metric>` --metric-transformations metricName= `<console_signin_failure_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }'\n```\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<console_signin_failure_alarm>` --metric-name `<console_signin_failure_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }\"\n```\n\n4. Note the `<console_signin_failure_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<console_signin_failure_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<console_signin_failure_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<console_signin_failure_metric>` --metric-transformations metricName= `<console_signin_failure_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<console_signin_failure_alarm>` --metric-name `<console_signin_failure_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }\" ```  4. Note the `<console_signin_failure_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<console_signin_failure_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<console_signin_failure_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1091,9 +1092,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.",
           "RationaleStatement": "Data encrypted with disabled or deleted keys will no longer be accessible.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<disable_or_delete_cmk_changes_metric>` --metric-transformations metricName= `<disable_or_delete_cmk_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }'\n```\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<disable_or_delete_cmk_changes_alarm>` --metric-name `<disable_or_delete_cmk_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }\"\n```\n4. Note the `<disable_or_delete_cmk_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<disable_or_delete_cmk_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<disable_or_delete_cmk_changes_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<disable_or_delete_cmk_changes_metric>` --metric-transformations metricName= `<disable_or_delete_cmk_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<disable_or_delete_cmk_changes_alarm>` --metric-name `<disable_or_delete_cmk_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }\" ``` 4. Note the `<disable_or_delete_cmk_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<disable_or_delete_cmk_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<disable_or_delete_cmk_changes_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1112,9 +1113,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.",
           "RationaleStatement": "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<s3_bucket_policy_changes_metric>` --metric-transformations metricName= `<s3_bucket_policy_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<s3_bucket_policy_changes_alarm>` --metric-name `<s3_bucket_policy_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }\"\n```\n4. Note the `<s3_bucket_policy_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<s3_bucket_policy_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<s3_bucket_policy_changes_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<s3_bucket_policy_changes_metric>` --metric-transformations metricName= `<s3_bucket_policy_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<s3_bucket_policy_changes_alarm>` --metric-name `<s3_bucket_policy_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }\" ``` 4. Note the `<s3_bucket_policy_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<s3_bucket_policy_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<s3_bucket_policy_changes_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1133,9 +1134,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.",
           "RationaleStatement": "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<aws_config_changes_metric>` --metric-transformations metricName= `<aws_config_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<aws_config_changes_alarm>` --metric-name `<aws_config_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }\"\n```\n4. Note the `<aws_config_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<aws_config_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<aws_config_changes_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<aws_config_changes_metric>` --metric-transformations metricName= `<aws_config_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<aws_config_changes_alarm>` --metric-name `<aws_config_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }\" ``` 4. Note the `<aws_config_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<aws_config_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<aws_config_changes_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1156,8 +1157,8 @@
           "Description": "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.",
           "RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\nPerform the following:\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click `Network ACLs`\n3. For each network ACL to remediate, perform the following:\n - Select the network ACL\n - Click the `Inbound Rules` tab\n - Click `Edit inbound rules`\n - Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule\n - Click `Save`",
-          "AuditProcedure": "**From Console:**\n\nPerform the following to determine if the account is configured as prescribed:\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click `Network ACLs`\n3. For each network ACL, perform the following:\n - Select the network ACL\n - Click the `Inbound Rules` tab\n - Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` and shows `ALLOW`\n\n**Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports",
+          "RemediationProcedure": "**From Console:**  Perform the following: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL to remediate, perform the following:  - Select the network ACL  - Click the `Inbound Rules` tab  - Click `Edit inbound rules`  - Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule  - Click `Save`",
+          "AuditProcedure": "**From Console:**  Perform the following to determine if the account is configured as prescribed: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL, perform the following:  - Select the network ACL  - Click the `Inbound Rules` tab  - Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` and shows `ALLOW`  **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison"
         }
@@ -1179,8 +1180,8 @@
           "Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.",
           "RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.",
           "ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the 0.0.0.0/0 inbound rule.",
-          "RemediationProcedure": "Perform the following to implement the prescribed state:\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. In the left pane, click `Security Groups` \n3. For each security group, perform the following:\n1. Select the security group\n2. Click the `Inbound Rules` tab\n3. Click the `Edit inbound rules` button\n4. Identify the rules to be edited or removed\n5. Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule\n6. Click `Save rules`",
-          "AuditProcedure": "Perform the following to determine if the account is configured as prescribed:\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. In the left pane, click `Security Groups` \n3. For each security group, perform the following:\n1. Select the security group\n2. Click the `Inbound Rules` tab\n3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` \n\n**Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.",
+          "RemediationProcedure": "Perform the following to implement the prescribed state:  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`  3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`",
+          "AuditProcedure": "Perform the following to determine if the account is configured as prescribed:  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`  3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0`   **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule"
         }
@@ -1197,11 +1198,11 @@
           "Section": "5. Networking",
           "Profile": "Level 2",
           "AssessmentStatus": "Automated",
-          "Description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.\n\nThe default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.\n\n**NOTE:** When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.",
+          "Description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.  The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.  **NOTE:** When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.",
           "RationaleStatement": "Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.",
           "ImpactStatement": "Implementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.",
-          "RemediationProcedure": "Security Group Members\n\nPerform the following to implement the prescribed state:\n\n1. Identify AWS resources that exist within the default security group\n2. Create a set of least privilege security groups for those resources\n3. Place the resources in those security groups\n4. Remove the resources noted in #1 from the default security group\n\nSecurity Group State\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:\n3. In the left pane, click `Security Groups` \n4. For each default security group, perform the following:\n1. Select the `default` security group\n2. Click the `Inbound Rules` tab\n3. Remove any inbound rules\n4. Click the `Outbound Rules` tab\n5. Remove any Outbound rules\n\nRecommended:\n\nIAM groups allow you to edit the \"name\" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to \"DO NOT USE. DO NOT ADD RULES\"",
-          "AuditProcedure": "Perform the following to determine if the account is configured as prescribed:\n\nSecurity Group State\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:\n3. In the left pane, click `Security Groups` \n4. For each default security group, perform the following:\n1. Select the `default` security group\n2. Click the `Inbound Rules` tab\n3. Ensure no rule exist\n4. Click the `Outbound Rules` tab\n5. Ensure no rules exist\n\nSecurity Group Members\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region:\n3. In the left pane, click `Security Groups` \n4. Copy the id of the default security group.\n5. Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home\n6. In the filter column type 'Security Group ID : < security group id from #4 >'",
+          "RemediationProcedure": "Security Group Members  Perform the following to implement the prescribed state:  1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security group  Security Group State  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`  4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Remove any inbound rules 4. Click the `Outbound Rules` tab 5. Remove any Outbound rules  Recommended:  IAM groups allow you to edit the \"name\" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to \"DO NOT USE. DO NOT ADD RULES\"",
+          "AuditProcedure": "Perform the following to determine if the account is configured as prescribed:  Security Group State  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`  4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exist 4. Click the `Outbound Rules` tab 5. Ensure no rules exist  Security Group Members  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`  4. Copy the id of the default security group. 5. Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home 6. In the filter column type 'Security Group ID : < security group id from #4 >'",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group"
         }
@@ -1221,8 +1222,8 @@
           "Description": "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.",
           "RationaleStatement": "Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.\n\n**From Command Line:**\n\n1. For each _<route\\_table\\_id>_ containing routes non compliant with your routing policy (which grants more than desired \"least access\"), delete the non compliant route:\n```\naws ec2 delete-route --route-table-id <route_table_id> --destination-cidr-block <non_compliant_destination_CIDR>\n```\n 2. Create a new compliant route:\n```\naws ec2 create-route --route-table-id <route_table_id> --destination-cidr-block <compliant_destination_CIDR> --vpc-peering-connection-id <peering_connection_id>\n```",
-          "AuditProcedure": "Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.\n\n**From Command Line:**\n\n1. List all the route tables from a VPC and check if \"GatewayId\" is pointing to a _<peering\\_connection\\_id>_ (e.g. pcx-1a2b3c4d) and if \"DestinationCidrBlock\" is as specific as desired.\n```\naws ec2 describe-route-tables --filter \"Name=vpc-id,Values=<vpc_id>\" --query \"RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}\"\n```",
+          "RemediationProcedure": "Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.  **From Command Line:**  1. For each _<route\\_table\\_id>_ containing routes non compliant with your routing policy (which grants more than desired \"least access\"), delete the non compliant route: ``` aws ec2 delete-route --route-table-id <route_table_id> --destination-cidr-block <non_compliant_destination_CIDR> ```  2. Create a new compliant route: ``` aws ec2 create-route --route-table-id <route_table_id> --destination-cidr-block <compliant_destination_CIDR> --vpc-peering-connection-id <peering_connection_id> ```",
+          "AuditProcedure": "Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.  **From Command Line:**  1. List all the route tables from a VPC and check if \"GatewayId\" is pointing to a _<peering\\_connection\\_id>_ (e.g. pcx-1a2b3c4d) and if \"DestinationCidrBlock\" is as specific as desired. ``` aws ec2 describe-route-tables --filter \"Name=vpc-id,Values=<vpc_id>\" --query \"RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}\" ```",
           "AdditionalInformation": "If an organization has AWS transit gateway implemented in their VPC architecture they should look to apply the recommendation above for \"least access\" routing architecture at the AWS transit gateway level in combination with what must be implemented at the standard VPC route table. More specifically, to route traffic between two or more VPCs via a transit gateway VPCs must have an attachment to a transit gateway route table as well as a route, therefore to avoid routing traffic between VPCs an attachment to the transit gateway route table should only be added where there is an intention to route traffic between the VPCs. As transit gateways are able to host multiple route tables it is possible to group VPCs by attaching them to a common route table.",
           "References": "https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html:https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-peering-connection.html"
         }

prowler/compliance/aws/cis_1.5_aws.json

@@ -15,11 +15,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Manual",
-          "Description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.\n\nAn AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.",
+          "Description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.  An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.",
           "RationaleStatement": "If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers' and AWS' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.",
           "ImpactStatement": "",
-          "RemediationProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing ).\n\n1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/.\n2. On the navigation bar, choose your account name, and then choose `My Account`.\n3. On the `Account Settings` page, next to `Account Settings`, choose `Edit`.\n4. Next to the field that you need to update, choose `Edit`.\n5. After you have entered your changes, choose `Save changes`.\n6. After you have made your changes, choose `Done`.\n7. To edit your contact information, under `Contact Information`, choose `Edit`.\n8. For the fields that you want to change, type your updated information, and then choose `Update`.",
-          "AuditProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing )\n\n1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/.\n2. On the navigation bar, choose your account name, and then choose `My Account`.\n3. On the `Account Settings` page, review and verify the current details.\n4. Under `Contact Information`, review and verify the current details.",
+          "RemediationProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing ).  1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, next to `Account Settings`, choose `Edit`. 4. Next to the field that you need to update, choose `Edit`. 5. After you have entered your changes, choose `Save changes`. 6. After you have made your changes, choose `Done`. 7. To edit your contact information, under `Contact Information`, choose `Edit`. 8. For the fields that you want to change, type your updated information, and then choose `Update`.",
+          "AuditProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing )  1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, review and verify the current details. 4. Under `Contact Information`, review and verify the current details.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info"
         }
@@ -39,9 +39,9 @@
           "Description": "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.",
           "RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.",
           "ImpactStatement": "AWS will soon end support for SMS multi-factor authentication (MFA). New customers are not allowed to use this feature. We recommend that existing customers switch to one of the following alternative methods of MFA.",
-          "RemediationProcedure": "Perform the following to enable MFA:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/'\n2. In the left pane, select `Users`.\n3. In the `User Name` list, choose the name of the intended MFA user.\n4. Choose the `Security Credentials` tab, and then choose `Manage MFA Device`.\n5. In the `Manage MFA Device wizard`, choose `Virtual MFA` device, and then choose `Continue`.\n\n IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.\n\n6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).\n7. Determine whether the MFA app supports QR codes, and then do one of the following:\n\n - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.\n - In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.\n\n When you are finished, the virtual MFA device starts generating one-time passwords.\n\n8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second `one-time password` into the `MFA Code 2 box`.\n\n9. Click `Assign MFA`.",
-          "AuditProcedure": "Perform the following to determine if a MFA device is enabled for all IAM users having a console password:\n\n**From Console:**\n\n1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. In the left pane, select `Users` \n3. If the `MFA` or `Password age` columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click `Close`.\n4. Ensure that for each user where the `Password age` column shows a password age, the `MFA` column shows `Virtual`, `U2F Security Key`, or `Hardware`.\n\n**From Command Line:**\n\n1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status:\n```\n aws iam generate-credential-report\n```\n```\n aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8 \n```\n2. The output of this command will produce a table similar to the following:\n```\n user,password_enabled,mfa_active\n elise,false,false\n brandon,true,true\n rakesh,false,false\n helene,false,false\n paras,true,true\n anitha,false,false \n```\n3. For any column having `password_enabled` set to `true` , ensure `mfa_active` is also set to `true.`",
-          "AdditionalInformation": "**Forced IAM User Self-Service Remediation**\n\nAmazon has published a pattern that forces users to self-service setup MFA before they have access to their complete permissions set. Until they complete this step, they cannot access their full permissions. This pattern can be used on new AWS accounts. It can also be used on existing accounts - it is recommended users are given instructions and a grace period to accomplish MFA enrollment before active enforcement on existing AWS accounts.",
+          "RemediationProcedure": "Perform the following to enable MFA:  **From Console:**  1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/' 2. In the left pane, select `Users`. 3. In the `User Name` list, choose the name of the intended MFA user. 4. Choose the `Security Credentials` tab, and then choose `Manage MFA Device`. 5. In the `Manage MFA Device wizard`, choose `Virtual MFA` device, and then choose `Continue`.   IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.  6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following:   - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.  - In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.   When you are finished, the virtual MFA device starts generating one-time passwords.  8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second `one-time password` into the `MFA Code 2 box`.  9. Click `Assign MFA`.",
+          "AuditProcedure": "Perform the following to determine if a MFA device is enabled for all IAM users having a console password:  **From Console:**  1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left pane, select `Users`  3. If the `MFA` or `Password age` columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click `Close`. 4. Ensure that for each user where the `Password age` column shows a password age, the `MFA` column shows `Virtual`, `U2F Security Key`, or `Hardware`.  **From Command Line:**  1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status: ```  aws iam generate-credential-report ``` ```  aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8  ``` 2. The output of this command will produce a table similar to the following: ```  user,password_enabled,mfa_active  elise,false,false  brandon,true,true  rakesh,false,false  helene,false,false  paras,true,true  anitha,false,false  ``` 3. For any column having `password_enabled` set to `true` , ensure `mfa_active` is also set to `true.`",
+          "AdditionalInformation": "**Forced IAM User Self-Service Remediation**  Amazon has published a pattern that forces users to self-service setup MFA before they have access to their complete permissions set. Until they complete this step, they cannot access their full permissions. This pattern can be used on new AWS accounts. It can also be used on existing accounts - it is recommended users are given instructions and a grace period to accomplish MFA enrollment before active enforcement on existing AWS accounts.",
           "References": "https://tools.ietf.org/html/rfc6238:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users"
         }
       ]
@@ -57,11 +57,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require. \n\nProgrammatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. \n\nAWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.",
-          "RationaleStatement": "Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.\n\n**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.",
+          "Description": "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require.   Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.   AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.",
+          "RationaleStatement": "Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.  **Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to delete access keys that do not pass the audit:\n\n**From Console:**\n\n1. Login to the AWS Management Console:\n2. Click `Services` \n3. Click `IAM` \n4. Click on `Users` \n5. Click on `Security Credentials` \n6. As an Administrator \n - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.\n7. As an IAM User\n - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.\n\n**From Command Line:**\n```\naws iam delete-access-key --access-key-id <access-key-id-listed> --user-name <users-name>\n```",
-          "AuditProcedure": "Perform the following to determine if access keys were created upon user creation and are being used and rotated as prescribed:\n\n**From Console:**\n\n1. Login to the AWS Management Console\n2. Click `Services` \n3. Click `IAM` \n4. Click on a User where column `Password age` and `Access key age` is not set to `None`\n5. Click on `Security credentials` Tab\n6. Compare the user 'Creation time` to the Access Key `Created` date.\n6. For any that match, the key was created during initial user setup.\n\n- Keys that were created at the same time as the user profile and do not have a last used date should be deleted. Refer to the remediation below.\n\n**From Command Line:**\n\n1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization:\n```\n aws iam generate-credential-report\n```\n```\n aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16\n```\n2. The output of this command will produce a table similar to the following:\n```\nuser,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_date\n elise,false,true,2015-04-16T15:14:00+00:00,false,N/A\n brandon,true,true,N/A,false,N/A\n rakesh,false,false,N/A,false,N/A\n helene,false,true,2015-11-18T17:47:00+00:00,false,N/A\n paras,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00\n anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A \n```\n3. For any user having `password_enabled` set to `true` AND `access_key_last_used_date` set to `N/A` refer to the remediation below.",
+          "RemediationProcedure": "Perform the following to delete access keys that do not pass the audit:  **From Console:**  1. Login to the AWS Management Console: 2. Click `Services`  3. Click `IAM`  4. Click on `Users`  5. Click on `Security Credentials`  6. As an Administrator   - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User  - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.  **From Command Line:** ``` aws iam delete-access-key --access-key-id <access-key-id-listed> --user-name <users-name> ```",
+          "AuditProcedure": "Perform the following to determine if access keys were created upon user creation and are being used and rotated as prescribed:  **From Console:**  1. Login to the AWS Management Console 2. Click `Services`  3. Click `IAM`  4. Click on a User where column `Password age` and `Access key age` is not set to `None` 5. Click on `Security credentials` Tab 6. Compare the user 'Creation time` to the Access Key `Created` date. 6. For any that match, the key was created during initial user setup.  - Keys that were created at the same time as the user profile and do not have a last used date should be deleted. Refer to the remediation below.  **From Command Line:**  1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization: ```  aws iam generate-credential-report ``` ```  aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16 ``` 2. The output of this command will produce a table similar to the following: ``` user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_date  elise,false,true,2015-04-16T15:14:00+00:00,false,N/A  brandon,true,true,N/A,false,N/A  rakesh,false,false,N/A,false,N/A  helene,false,true,2015-11-18T17:47:00+00:00,false,N/A  paras,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00  anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A  ``` 3. For any user having `password_enabled` set to `true` AND `access_key_last_used_date` set to `N/A` refer to the remediation below.",
           "AdditionalInformation": "Credential report does not appear to contain \"Key Creation Date\"",
           "References": "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html"
         }
@@ -71,7 +71,8 @@
       "Id": "1.12",
       "Description": "Ensure credentials unused for 45 days or greater are disabled",
       "Checks": [
-        "iam_disable_45_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ],
       "Attributes": [
         {
@@ -81,8 +82,8 @@
           "Description": "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.",
           "RationaleStatement": "Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\nPerform the following to manage Unused Password (IAM user console access)\n\n1. Login to the AWS Management Console:\n2. Click `Services` \n3. Click `IAM` \n4. Click on `Users` \n5. Click on `Security Credentials` \n6. Select user whose `Console last sign-in` is greater than 45 days\n7. Click `Security credentials`\n8. In section `Sign-in credentials`, `Console password` click `Manage` \n9. Under Console Access select `Disable`\n10.Click `Apply`\n\nPerform the following to deactivate Access Keys:\n\n1. Login to the AWS Management Console:\n2. Click `Services` \n3. Click `IAM` \n4. Click on `Users` \n5. Click on `Security Credentials` \n6. Select any access keys that are over 45 days old and that have been used and \n - Click on `Make Inactive`\n7. Select any access keys that are over 45 days old and that have not been used and \n - Click the X to `Delete`",
-          "AuditProcedure": "Perform the following to determine if unused credentials exist:\n\n**From Console:**\n\n1. Login to the AWS Management Console\n2. Click `Services` \n3. Click `IAM`\n4. Click on `Users`\n5. Click the `Settings` (gear) icon.\n6. Select `Console last sign-in`, `Access key last used`, and `Access Key Id`\n7. Click on `Close` \n8. Check and ensure that `Console last sign-in` is less than 45 days ago.\n\n**Note** - `Never` means the user has never logged in.\n\n9. Check and ensure that `Access key age` is less than 45 days and that `Access key last used` does not say `None`\n\nIf the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.\n\n**From Command Line:**\n\n**Download Credential Report:**\n\n1. Run the following commands:\n```\n aws iam generate-credential-report\n\n aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^<root_account>'\n```\n\n**Ensure unused credentials do not exist:**\n\n2. For each user having `password_enabled` set to `TRUE` , ensure `password_last_used_date` is less than `45` days ago.\n\n- When `password_enabled` is set to `TRUE` and `password_last_used` is set to `No_Information` , ensure `password_last_changed` is less than 45 days ago.\n\n3. For each user having an `access_key_1_active` or `access_key_2_active` to `TRUE` , ensure the corresponding `access_key_n_last_used_date` is less than `45` days ago.\n\n- When a user having an `access_key_x_active` (where x is 1 or 2) to `TRUE` and corresponding access_key_x_last_used_date is set to `N/A', ensure `access_key_x_last_rotated` is less than 45 days ago.",
+          "RemediationProcedure": "**From Console:**  Perform the following to manage Unused Password (IAM user console access)  1. Login to the AWS Management Console: 2. Click `Services`  3. Click `IAM`  4. Click on `Users`  5. Click on `Security Credentials`  6. Select user whose `Console last sign-in` is greater than 45 days 7. Click `Security credentials` 8. In section `Sign-in credentials`, `Console password` click `Manage`  9. Under Console Access select `Disable` 10.Click `Apply`  Perform the following to deactivate Access Keys:  1. Login to the AWS Management Console: 2. Click `Services`  3. Click `IAM`  4. Click on `Users`  5. Click on `Security Credentials`  6. Select any access keys that are over 45 days old and that have been used and   - Click on `Make Inactive` 7. Select any access keys that are over 45 days old and that have not been used and   - Click the X to `Delete`",
+          "AuditProcedure": "Perform the following to determine if unused credentials exist:  **From Console:**  1. Login to the AWS Management Console 2. Click `Services`  3. Click `IAM` 4. Click on `Users` 5. Click the `Settings` (gear) icon. 6. Select `Console last sign-in`, `Access key last used`, and `Access Key Id` 7. Click on `Close`  8. Check and ensure that `Console last sign-in` is less than 45 days ago.  **Note** - `Never` means the user has never logged in.  9. Check and ensure that `Access key age` is less than 45 days and that `Access key last used` does not say `None`  If the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.  **From Command Line:**  **Download Credential Report:**  1. Run the following commands: ```  aws iam generate-credential-report   aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^<root_account>' ```  **Ensure unused credentials do not exist:**  2. For each user having `password_enabled` set to `TRUE` , ensure `password_last_used_date` is less than `45` days ago.  - When `password_enabled` is set to `TRUE` and `password_last_used` is set to `No_Information` , ensure `password_last_changed` is less than 45 days ago.  3. For each user having an `access_key_1_active` or `access_key_2_active` to `TRUE` , ensure the corresponding `access_key_n_last_used_date` is less than `45` days ago.  - When a user having an `access_key_x_active` (where x is 1 or 2) to `TRUE` and corresponding access_key_x_last_used_date is set to `N/A', ensure `access_key_x_last_rotated` is less than 45 days ago.",
           "AdditionalInformation": "<root_account> is excluded in the audit since the root account should not be used for day to day business and would likely be unused for more than 45 days.",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html"
         }
@@ -102,8 +103,8 @@
           "Description": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)",
           "RationaleStatement": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`.\n2. In the left navigation panel, choose `Users`.\n3. Click on the IAM user name that you want to examine.\n4. On the IAM user configuration page, select `Security Credentials` tab.\n5. In `Access Keys` section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.\n6. In the same `Access Keys` section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the `Make Inactive` link.\n7. If you receive the `Change Key Status` confirmation box, click `Deactivate` to switch off the selected key.\n8. Repeat steps no. 3 – 7 for each IAM user in your AWS account.\n\n**From Command Line:**\n\n1. Using the IAM user and access key information provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.\n\n2. Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user\n\n**Note** - the command does not return any output:\n```\naws iam update-access-key --access-key-id <access-key-id> --status Inactive --user-name <user-name>\n```\n3. To confirm that the selected access key pair has been successfully `deactivated` run the `list-access-keys` audit command again for that IAM User:\n```\naws iam list-access-keys --user-name <user-name>\n```\n- The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.\n\n4. Repeat steps no. 1 – 3 for each IAM user in your AWS account.",
-          "AuditProcedure": "**From Console:**\n\n1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`.\n2. In the left navigation panel, choose `Users`.\n3. Click on the IAM user name that you want to examine.\n4. On the IAM user configuration page, select `Security Credentials` tab.\n5. Under `Access Keys` section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated then the users access configuration does not adhere to security best practices and the risk of accidental exposures increases.\n- Repeat steps no. 3 – 5 for each IAM user in your AWS account.\n\n**From Command Line:**\n\n1. Run `list-users` command to list all IAM users within your account:\n```\naws iam list-users --query \"Users[*].UserName\"\n```\nThe command output should return an array that contains all your IAM user names.\n\n2. Run `list-access-keys` command using the IAM user name list to return the current status of each access key associated with the selected IAM user:\n```\naws iam list-access-keys --user-name <user-name>\n```\nThe command output should expose the metadata `(\"Username\", \"AccessKeyId\", \"Status\", \"CreateDate\")` for each access key on that user account.\n\n3. Check the `Status` property value for each key returned to determine each keys current state. If the `Status` property value for more than one IAM access key is set to `Active`, the user access configuration does not adhere to this recommendation, refer to the remediation below.\n\n- Repeat steps no. 2 and 3 for each IAM user in your AWS account.",
+          "RemediationProcedure": "**From Console:**  1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. In `Access Keys` section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working. 6. In the same `Access Keys` section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the `Make Inactive` link. 7. If you receive the `Change Key Status` confirmation box, click `Deactivate` to switch off the selected key. 8. Repeat steps no. 3 – 7 for each IAM user in your AWS account.  **From Command Line:**  1. Using the IAM user and access key information provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.  2. Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user  **Note** - the command does not return any output: ``` aws iam update-access-key --access-key-id <access-key-id> --status Inactive --user-name <user-name> ``` 3. To confirm that the selected access key pair has been successfully `deactivated` run the `list-access-keys` audit command again for that IAM User: ``` aws iam list-access-keys --user-name <user-name> ``` - The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.  4. Repeat steps no. 1 – 3 for each IAM user in your AWS account.",
+          "AuditProcedure": "**From Console:**  1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. Under `Access Keys` section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated then the users access configuration does not adhere to security best practices and the risk of accidental exposures increases. - Repeat steps no. 3 – 5 for each IAM user in your AWS account.  **From Command Line:**  1. Run `list-users` command to list all IAM users within your account: ``` aws iam list-users --query \"Users[*].UserName\" ``` The command output should return an array that contains all your IAM user names.  2. Run `list-access-keys` command using the IAM user name list to return the current status of each access key associated with the selected IAM user: ``` aws iam list-access-keys --user-name <user-name> ``` The command output should expose the metadata `(\"Username\", \"AccessKeyId\", \"Status\", \"CreateDate\")` for each access key on that user account.  3. Check the `Status` property value for each key returned to determine each keys current state. If the `Status` property value for more than one IAM access key is set to `Active`, the user access configuration does not adhere to this recommendation, refer to the remediation below.  - Repeat steps no. 2 and 3 for each IAM user in your AWS account.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html"
         }
@@ -121,10 +122,10 @@
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
           "Description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.",
-          "RationaleStatement": "Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.\n\nAccess keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.",
+          "RationaleStatement": "Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.  Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to rotate access keys:\n\n**From Console:**\n\n1. Go to Management Console (https://console.aws.amazon.com/iam)\n2. Click on `Users`\n3. Click on `Security Credentials` \n4. As an Administrator \n - Click on `Make Inactive` for keys that have not been rotated in `90` Days\n5. As an IAM User\n - Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days\n6. Click on `Create Access Key` \n7. Update programmatic call with new Access Key credentials\n\n**From Command Line:**\n\n1. While the first access key is still active, create a second access key, which is active by default. Run the following command:\n```\naws iam create-access-key\n```\n\nAt this point, the user has two active access keys.\n\n2. Update all applications and tools to use the new access key.\n3. Determine whether the first access key is still in use by using this command:\n```\naws iam get-access-key-last-used\n```\n4. One approach is to wait several days and then check the old access key for any use before proceeding.\n\nEven if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command:\n```\naws iam update-access-key\n```\n5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.\n\n6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command:\n```\naws iam delete-access-key\n```",
-          "AuditProcedure": "Perform the following to determine if access keys are rotated as prescribed:\n\n**From Console:**\n\n1. Go to Management Console (https://console.aws.amazon.com/iam)\n2. Click on `Users`\n3. Click `setting` icon\n4. Select `Console last sign-in`\n5. Click `Close`\n6. Ensure that `Access key age` is less than 90 days ago. note) `None` in the `Access key age` means the user has not used the access key.\n\n**From Command Line:**\n\n```\naws iam generate-credential-report\naws iam get-credential-report --query 'Content' --output text | base64 -d\n```\nThe `access_key_1_last_rotated` field in this file notes The date and time, in ISO 8601 date-time format, when the user's access key was created or last changed. If the user does not have an active access key, the value in this field is N/A (not applicable).",
+          "RemediationProcedure": "Perform the following to rotate access keys:  **From Console:**  1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click on `Security Credentials`  4. As an Administrator   - Click on `Make Inactive` for keys that have not been rotated in `90` Days 5. As an IAM User  - Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days 6. Click on `Create Access Key`  7. Update programmatic call with new Access Key credentials  **From Command Line:**  1. While the first access key is still active, create a second access key, which is active by default. Run the following command: ``` aws iam create-access-key ```  At this point, the user has two active access keys.  2. Update all applications and tools to use the new access key. 3. Determine whether the first access key is still in use by using this command: ``` aws iam get-access-key-last-used ``` 4. One approach is to wait several days and then check the old access key for any use before proceeding.  Even if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command: ``` aws iam update-access-key ``` 5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.  6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command: ``` aws iam delete-access-key ```",
+          "AuditProcedure": "Perform the following to determine if access keys are rotated as prescribed:  **From Console:**  1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click `setting` icon 4. Select `Console last sign-in` 5. Click `Close` 6. Ensure that `Access key age` is less than 90 days ago. note) `None` in the `Access key age` means the user has not used the access key.  **From Command Line:**  ``` aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d ``` The `access_key_1_last_rotated` field in this file notes The date and time, in ISO 8601 date-time format, when the user's access key was created or last changed. If the user does not have an active access key, the value in this field is N/A (not applicable).",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html"
         }
@@ -141,11 +142,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. \n\nOnly the third implementation is recommended.",
+          "Description": "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy.   Only the third implementation is recommended.",
           "RationaleStatement": "Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to create an IAM group and assign a policy to it:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. In the navigation pane, click `Groups` and then click `Create New Group` .\n3. In the `Group Name` box, type the name of the group and then click `Next Step` .\n4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step` .\n5. Click `Create Group` \n\nPerform the following to add a user to a given group:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. In the navigation pane, click `Groups` \n3. Select the group to add a user to\n4. Click `Add Users To Group` \n5. Select the users to be added to the group\n6. Click `Add Users` \n\nPerform the following to remove a direct association between a user and policy:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. In the left navigation pane, click on Users\n3. For each user:\n - Select the user\n - Click on the `Permissions` tab\n - Expand `Permissions policies` \n - Click `X` for each policy; then click Detach or Remove (depending on policy type)",
-          "AuditProcedure": "Perform the following to determine if an inline policy is set or a policy is directly attached to users:\n\n1. Run the following to get a list of IAM users:\n```\n aws iam list-users --query 'Users[*].UserName' --output text \n```\n2. For each user returned, run the following command to determine if any policies are attached to them:\n```\n aws iam list-attached-user-policies --user-name <iam_user>\n aws iam list-user-policies --user-name <iam_user> \n```\n3. If any policies are returned, the user has an inline policy or direct policy attachment.",
+          "RemediationProcedure": "Perform the following to create an IAM group and assign a policy to it:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups` and then click `Create New Group` . 3. In the `Group Name` box, type the name of the group and then click `Next Step` . 4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step` . 5. Click `Create Group`   Perform the following to add a user to a given group:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups`  3. Select the group to add a user to 4. Click `Add Users To Group`  5. Select the users to be added to the group 6. Click `Add Users`   Perform the following to remove a direct association between a user and policy:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left navigation pane, click on Users 3. For each user:  - Select the user  - Click on the `Permissions` tab  - Expand `Permissions policies`   - Click `X` for each policy; then click Detach or Remove (depending on policy type)",
+          "AuditProcedure": "Perform the following to determine if an inline policy is set or a policy is directly attached to users:  1. Run the following to get a list of IAM users: ```  aws iam list-users --query 'Users[*].UserName' --output text  ``` 2. For each user returned, run the following command to determine if any policies are attached to them: ```  aws iam list-attached-user-policies --user-name <iam_user>  aws iam list-user-policies --user-name <iam_user>  ``` 3. If any policies are returned, the user has an inline policy or direct policy attachment.",
           "AdditionalInformation": "",
           "References": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html"
         }
@@ -164,10 +165,10 @@
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
           "Description": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant _least privilege_ -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform _only_ those tasks, instead of allowing full administrative privileges.",
-          "RationaleStatement": "It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.\n\nProviding full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.\n\nIAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"\\*\" over \"Resource\": \"\\*\" should be removed.",
+          "RationaleStatement": "It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.  Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.  IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"\\*\" over \"Resource\": \"\\*\" should be removed.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\nPerform the following to detach the policy that has full administrative privileges:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. In the navigation pane, click Policies and then search for the policy name found in the audit step.\n3. Select the policy that needs to be deleted.\n4. In the policy action menu, select first `Detach` \n5. Select all Users, Groups, Roles that have this policy attached\n6. Click `Detach Policy` \n7. In the policy action menu, select `Detach` \n\n**From Command Line:**\n\nPerform the following to detach the policy that has full administrative privileges as found in the audit step:\n\n1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.\n\n```\n aws iam list-entities-for-policy --policy-arn <policy_arn>\n```\n2. Detach the policy from all IAM Users:\n```\n aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>\n```\n3. Detach the policy from all IAM Groups:\n```\n aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>\n```\n4. Detach the policy from all IAM Roles:\n```\n aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>\n```",
-          "AuditProcedure": "Perform the following to determine what policies are created:\n\n**From Command Line:**\n\n1. Run the following to get a list of IAM policies:\n```\n aws iam list-policies --only-attached --output text\n```\n2. For each policy returned, run the following command to determine if any policies is allowing full administrative privileges on the account:\n```\n aws iam get-policy-version --policy-arn <policy_arn> --version-id <version>\n```\n3. In output ensure policy should not have any Statement block with `\"Effect\": \"Allow\"` and `Action` set to `\"*\"` and `Resource` set to `\"*\"`",
+          "RemediationProcedure": "**From Console:**  Perform the following to detach the policy that has full administrative privileges:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click Policies and then search for the policy name found in the audit step. 3. Select the policy that needs to be deleted. 4. In the policy action menu, select first `Detach`  5. Select all Users, Groups, Roles that have this policy attached 6. Click `Detach Policy`  7. In the policy action menu, select `Detach`   **From Command Line:**  Perform the following to detach the policy that has full administrative privileges as found in the audit step:  1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.  ```  aws iam list-entities-for-policy --policy-arn <policy_arn> ``` 2. Detach the policy from all IAM Users: ```  aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn> ``` 3. Detach the policy from all IAM Groups: ```  aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn> ``` 4. Detach the policy from all IAM Roles: ```  aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn> ```",
+          "AuditProcedure": "Perform the following to determine what policies are created:  **From Command Line:**  1. Run the following to get a list of IAM policies: ```  aws iam list-policies --only-attached --output text ``` 2. For each policy returned, run the following command to determine if any policies is allowing full administrative privileges on the account: ```  aws iam get-policy-version --policy-arn <policy_arn> --version-id <version> ``` 3. In output ensure policy should not have any Statement block with `\"Effect\": \"Allow\"` and `Action` set to `\"*\"` and `Resource` set to `\"*\"`",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam"
         }
@@ -187,8 +188,8 @@
           "Description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.",
           "RationaleStatement": "By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.",
           "ImpactStatement": "All AWS Support plans include an unlimited number of account and billing support cases, with no long-term contracts. Support billing calculations are performed on a per-account basis for all plans. Enterprise Support plan customers have the option to include multiple enabled accounts in an aggregated monthly billing calculation. Monthly charges for the Business and Enterprise support plans are based on each month's AWS usage charges, subject to a monthly minimum, billed in advance.",
-          "RemediationProcedure": "**From Command Line:**\n\n1. Create an IAM role for managing incidents with AWS:\n - Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:\n```\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"<iam_user>\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n }\n```\n2. Create the IAM role using the above trust policy:\n```\naws iam create-role --role-name <aws_support_iam_role> --assume-role-policy-document file:///tmp/TrustPolicy.json\n```\n3. Attach 'AWSSupportAccess' managed policy to the created IAM role:\n```\naws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name <aws_support_iam_role>\n```",
-          "AuditProcedure": "**From Command Line:**\n\n1. List IAM policies, filter for the 'AWSSupportAccess' managed policy, and note the \"Arn\" element value:\n```\naws iam list-policies --query \"Policies[?PolicyName == 'AWSSupportAccess']\"\n```\n2. Check if the 'AWSSupportAccess' policy is attached to any role:\n\n```\naws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess\n```\n\n3. In Output, Ensure `PolicyRoles` does not return empty. 'Example: Example: PolicyRoles: [ ]'\n\nIf it returns empty refer to the remediation below.",
+          "RemediationProcedure": "**From Command Line:**  1. Create an IAM role for managing incidents with AWS:  - Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json: ```  {  \"Version\": \"2012-10-17\",  \"Statement\": [  {  \"Effect\": \"Allow\",  \"Principal\": {  \"AWS\": \"<iam_user>\"  },  \"Action\": \"sts:AssumeRole\"  }  ]  } ``` 2. Create the IAM role using the above trust policy: ``` aws iam create-role --role-name <aws_support_iam_role> --assume-role-policy-document file:///tmp/TrustPolicy.json ``` 3. Attach 'AWSSupportAccess' managed policy to the created IAM role: ``` aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name <aws_support_iam_role> ```",
+          "AuditProcedure": "**From Command Line:**  1. List IAM policies, filter for the 'AWSSupportAccess' managed policy, and note the \"Arn\" element value: ``` aws iam list-policies --query \"Policies[?PolicyName == 'AWSSupportAccess']\" ``` 2. Check if the 'AWSSupportAccess' policy is attached to any role:  ``` aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess ```  3. In Output, Ensure `PolicyRoles` does not return empty. 'Example: Example: PolicyRoles: [ ]'  If it returns empty refer to the remediation below.",
           "AdditionalInformation": "AWSSupportAccess policy is a global AWS resource. It has same ARN as `arn:aws:iam::aws:policy/AWSSupportAccess` for every account.",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://aws.amazon.com/premiumsupport/pricing/:https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html:https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html:https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html"
         }
@@ -206,10 +207,10 @@
           "Profile": "Level 2",
           "AssessmentStatus": "Manual",
           "Description": "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.",
-          "RationaleStatement": "AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.\n\nAdditionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.",
+          "RationaleStatement": "AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.  Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.",
           "ImpactStatement": "",
-          "RemediationProcedure": "IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create a new instance.\n\nIf the instance has no external dependencies on its current private ip or public addresses are elastic IPs:\n\n1. In AWS IAM create a new role. Assign a permissions policy if needed permissions are already known.\n2. In the AWS console launch a new instance with identical settings to the existing instance, and ensure that the newly created role is selected.\n3. Shutdown both the existing instance and the new instance.\n4. Detach disks from both instances.\n5. Attach the existing instance disks to the new instance.\n6. Boot the new instance and you should have the same machine, but with the associated role.\n\n**Note:** if your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance, destroy the old one and then when launching from the AMI, manually assign the previous private IP address.\n\n**Note: **if your environment has dependencies on a dynamically assigned PUBLIC IP address there is not a way ensure the address is retained and assign an instance role. Dependencies on dynamically assigned public IP addresses are a bad practice and, if possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.",
-          "AuditProcedure": "Where an instance is associated with a Role:\n\nFor instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions:\n\n1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)\n2. Open the EC2 Dashboard and choose \"Instances\"\n3. Click the EC2 instance that performs AWS actions, in the lower pane details find \"IAM Role\"\n4. If the Role is blank, the instance is not assigned to one.\n5. If the Role is filled in, it does not mean the instance might not \\*also\\* have credentials encoded on it for some activities.\n\nWhere an Instance Contains Embedded Credentials:\n\n- On the instance that is known to perform AWS actions, audit all scripts and environment variables to ensure that none of them contain AWS credentials.\n\nWhere an Instance Application Contains Embedded Credentials:\n\n- Applications that run on an instance may also have credentials embedded. This is a bad practice, but even worse if the source code is stored in a public code repository such as github. When an application contains credentials can be determined by eliminating all other sources of credentials and if the application can still access AWS resources - it likely contains embedded credentials. Another method is to examine all source code and configuration files of the application.",
+          "RemediationProcedure": "IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create a new instance.  If the instance has no external dependencies on its current private ip or public addresses are elastic IPs:  1. In AWS IAM create a new role. Assign a permissions policy if needed permissions are already known. 2. In the AWS console launch a new instance with identical settings to the existing instance, and ensure that the newly created role is selected. 3. Shutdown both the existing instance and the new instance. 4. Detach disks from both instances. 5. Attach the existing instance disks to the new instance. 6. Boot the new instance and you should have the same machine, but with the associated role.  **Note:** if your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance, destroy the old one and then when launching from the AMI, manually assign the previous private IP address.  **Note: **if your environment has dependencies on a dynamically assigned PUBLIC IP address there is not a way ensure the address is retained and assign an instance role. Dependencies on dynamically assigned public IP addresses are a bad practice and, if possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.",
+          "AuditProcedure": "Where an instance is associated with a Role:  For instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions:  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Open the EC2 Dashboard and choose \"Instances\" 3. Click the EC2 instance that performs AWS actions, in the lower pane details find \"IAM Role\" 4. If the Role is blank, the instance is not assigned to one. 5. If the Role is filled in, it does not mean the instance might not \\*also\\* have credentials encoded on it for some activities.  Where an Instance Contains Embedded Credentials:  - On the instance that is known to perform AWS actions, audit all scripts and environment variables to ensure that none of them contain AWS credentials.  Where an Instance Application Contains Embedded Credentials:  - Applications that run on an instance may also have credentials embedded. This is a bad practice, but even worse if the source code is stored in a public code repository such as github. When an application contains credentials can be determined by eliminating all other sources of credentials and if the application can still access AWS resources - it likely contains embedded credentials. Another method is to examine all source code and configuration files of the application.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html"
         }
@@ -226,11 +227,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. \nUse IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.",
+          "Description": "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates.  Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.",
           "RationaleStatement": "Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.",
-          "ImpactStatement": "Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc.\nOne has to make configurations at respective services to ensure there is no interruption in application functionality.",
-          "RemediationProcedure": "**From Console:**\n\nRemoving expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\n**From Command Line:**\n\nTo delete Expired Certificate run following command by replacing <CERTIFICATE_NAME> with the name of the certificate to delete:\n\n```\naws iam delete-server-certificate --server-certificate-name <CERTIFICATE_NAME>\n```\n\nWhen the preceding command is successful, it does not return any output.",
-          "AuditProcedure": "**From Console:**\n\nGetting the certificates expiration information via AWS Management Console is not currently supported. \nTo request information about the SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\n**From Command Line:**\n\nRun list-server-certificates command to list all the IAM-stored server certificates:\n\n```\naws iam list-server-certificates\n```\n\nThe command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc):\n\n```\n{\n \"ServerCertificateMetadataList\": [\n {\n \"ServerCertificateId\": \"EHDGFRW7EJFYTE88D\",\n \"ServerCertificateName\": \"MyServerCertificate\",\n \"Expiration\": \"2018-07-10T23:59:59Z\",\n \"Path\": \"/\",\n \"Arn\": \"arn:aws:iam::012345678910:server-certificate/MySSLCertificate\",\n \"UploadDate\": \"2018-06-10T11:56:08Z\"\n }\n ]\n}\n```\n\nVerify the `ServerCertificateName` and `Expiration` parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM. If so, use the AWS API to remove them.\n\nIf this command returns:\n```\n{ { \"ServerCertificateMetadataList\": [] }\n```\nThis means that there are no expired certificates, It DOES NOT mean that no certificates exist.",
+          "ImpactStatement": "Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc. One has to make configurations at respective services to ensure there is no interruption in application functionality.",
+          "RemediationProcedure": "**From Console:**  Removing expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).  **From Command Line:**  To delete Expired Certificate run following command by replacing <CERTIFICATE_NAME> with the name of the certificate to delete:  ``` aws iam delete-server-certificate --server-certificate-name <CERTIFICATE_NAME> ```  When the preceding command is successful, it does not return any output.",
+          "AuditProcedure": "**From Console:**  Getting the certificates expiration information via AWS Management Console is not currently supported.  To request information about the SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).  **From Command Line:**  Run list-server-certificates command to list all the IAM-stored server certificates:  ``` aws iam list-server-certificates ```  The command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc):  ``` {  \"ServerCertificateMetadataList\": [  {  \"ServerCertificateId\": \"EHDGFRW7EJFYTE88D\",  \"ServerCertificateName\": \"MyServerCertificate\",  \"Expiration\": \"2018-07-10T23:59:59Z\",  \"Path\": \"/\",  \"Arn\": \"arn:aws:iam::012345678910:server-certificate/MySSLCertificate\",  \"UploadDate\": \"2018-06-10T11:56:08Z\"  }  ] } ```  Verify the `ServerCertificateName` and `Expiration` parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM. If so, use the AWS API to remove them.  If this command returns: ``` { { \"ServerCertificateMetadataList\": [] } ``` This means that there are no expired certificates, It DOES NOT mean that no certificates exist.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html:https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html"
         }
@@ -250,8 +251,8 @@
           "Description": "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided.",
           "RationaleStatement": "Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to establish security contact information:\n\n**From Console:**\n\n1. Click on your account name at the top right corner of the console.\n2. From the drop-down menu Click `My Account` \n3. Scroll down to the `Alternate Contacts` section\n4. Enter contact information in the `Security` section\n\n**Note:** Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual.",
-          "AuditProcedure": "Perform the following to determine if security contact information is present:\n\n**From Console:**\n\n1. Click on your account name at the top right corner of the console\n2. From the drop-down menu Click `My Account` \n3. Scroll down to the `Alternate Contacts` section\n4. Ensure contact information is specified in the `Security` section",
+          "RemediationProcedure": "Perform the following to establish security contact information:  **From Console:**  1. Click on your account name at the top right corner of the console. 2. From the drop-down menu Click `My Account`  3. Scroll down to the `Alternate Contacts` section 4. Enter contact information in the `Security` section  **Note:** Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual.",
+          "AuditProcedure": "Perform the following to determine if security contact information is present:  **From Console:**  1. Click on your account name at the top right corner of the console 2. From the drop-down menu Click `My Account`  3. Scroll down to the `Alternate Contacts` section 4. Ensure contact information is specified in the `Security` section",
           "AdditionalInformation": "",
           "References": ""
         }
@@ -268,11 +269,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "Enable IAM Access analyzer for IAM policies about all resources in each region.\n\nIAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access.\nAccess Analyzer analyzes only policies that are applied to resources in the same AWS Region.",
+          "Description": "Enable IAM Access analyzer for IAM policies about all resources in each region.  IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region.",
           "RationaleStatement": "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\nPerform the following to enable IAM Access analyzer for IAM policies:\n\n1. Open the IAM console at `https://console.aws.amazon.com/iam/.`\n2. Choose `Access analyzer`.\n3. Choose `Create analyzer`.\n4. On the `Create analyzer` page, confirm that the `Region` displayed is the Region where you want to enable Access Analyzer.\n5. Enter a name for the analyzer. `Optional as it will generate a name for you automatically`.\n6. Add any tags that you want to apply to the analyzer. `Optional`. \n7. Choose `Create Analyzer`.\n8. Repeat these step for each active region\n\n**From Command Line:**\n\nRun the following command:\n```\naws accessanalyzer create-analyzer --analyzer-name <NAME> --type <ACCOUNT|ORGANIZATION>\n```\nRepeat this command above for each active region.\n\n**Note:** The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.",
-          "AuditProcedure": "**From Console:**\n\n1. Open the IAM console at `https://console.aws.amazon.com/iam/`\n2. Choose `Access analyzer`\n3. Click 'Analyzers'\n4. Ensure that at least one analyzer is present\n5. Ensure that the `STATUS` is set to `Active`\n6. Repeat these step for each active region\n\n**From Command Line:**\n\n1. Run the following command:\n```\naws accessanalyzer list-analyzers | grep status\n```\n2. Ensure that at least one Analyzer the `status` is set to `ACTIVE`\n\n3. Repeat the steps above for each active region.\n\nIf an Access analyzer is not listed for each region or the status is not set to active refer to the remediation procedure below.",
+          "RemediationProcedure": "**From Console:**  Perform the following to enable IAM Access analyzer for IAM policies:  1. Open the IAM console at `https://console.aws.amazon.com/iam/.` 2. Choose `Access analyzer`. 3. Choose `Create analyzer`. 4. On the `Create analyzer` page, confirm that the `Region` displayed is the Region where you want to enable Access Analyzer. 5. Enter a name for the analyzer. `Optional as it will generate a name for you automatically`. 6. Add any tags that you want to apply to the analyzer. `Optional`.  7. Choose `Create Analyzer`. 8. Repeat these step for each active region  **From Command Line:**  Run the following command: ``` aws accessanalyzer create-analyzer --analyzer-name <NAME> --type <ACCOUNT|ORGANIZATION> ``` Repeat this command above for each active region.  **Note:** The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.",
+          "AuditProcedure": "**From Console:**  1. Open the IAM console at `https://console.aws.amazon.com/iam/` 2. Choose `Access analyzer` 3. Click 'Analyzers' 4. Ensure that at least one analyzer is present 5. Ensure that the `STATUS` is set to `Active` 6. Repeat these step for each active region  **From Command Line:**  1. Run the following command: ``` aws accessanalyzer list-analyzers | grep status ``` 2. Ensure that at least one Analyzer the `status` is set to `ACTIVE`  3. Repeat the steps above for each active region.  If an Access analyzer is not listed for each region or the status is not set to active refer to the remediation procedure below.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/get-analyzer.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/create-analyzer.html"
         }
@@ -293,7 +294,7 @@
           "RationaleStatement": "Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.",
           "ImpactStatement": "",
           "RemediationProcedure": "The remediation procedure will vary based on the individual organization's implementation of identity federation and/or AWS Organizations with the acceptance criteria that no non-service IAM users, and non-root accounts, are present outside the account providing centralized IAM user management.",
-          "AuditProcedure": "For multi-account AWS environments with an external identity provider... \n\n1. Determine the master account for identity federation or IAM user management\n2. Login to that account through the AWS Management Console\n3. Click `Services` \n4. Click `IAM` \n5. Click `Identity providers`\n6. Verify the configuration\n\nThen..., determine all accounts that should not have local users present. For each account...\n\n1. Determine all accounts that should not have local users present\n2. Log into the AWS Management Console\n3. Switch role into each identified account\n4. Click `Services` \n5. Click `IAM` \n6. Click `Users`\n7. Confirm that no IAM users representing individuals are present\n\nFor multi-account AWS environments implementing AWS Organizations without an external identity provider... \n\n1. Determine all accounts that should not have local users present\n2. Log into the AWS Management Console\n3. Switch role into each identified account\n4. Click `Services` \n5. Click `IAM` \n6. Click `Users`\n7. Confirm that no IAM users representing individuals are present",
+          "AuditProcedure": "For multi-account AWS environments with an external identity provider...   1. Determine the master account for identity federation or IAM user management 2. Login to that account through the AWS Management Console 3. Click `Services`  4. Click `IAM`  5. Click `Identity providers` 6. Verify the configuration  Then..., determine all accounts that should not have local users present. For each account...  1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`  5. Click `IAM`  6. Click `Users` 7. Confirm that no IAM users representing individuals are present  For multi-account AWS environments implementing AWS Organizations without an external identity provider...   1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`  5. Click `IAM`  6. Click `Users` 7. Confirm that no IAM users representing individuals are present",
           "AdditionalInformation": "",
           "References": ""
         }
@@ -313,8 +314,8 @@
           "Description": "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.",
           "RationaleStatement": "When creating a new AWS account, a default super user is automatically created. This account is referred to as the 'root user' or 'root' account. It is recommended that the use of this account be limited and highly controlled. During events in which the 'root' password is no longer accessible or the MFA token associated with 'root' is lost/destroyed it is possible, through authentication using secret questions and associated answers, to recover 'root' user login access.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to the AWS Account as the 'root' user\n2. Click on the _<Root\\_Account\\_Name>_ from the top right of the console\n3. From the drop-down menu Click _My Account_\n4. Scroll down to the `Configure Security Questions` section\n5. Click on `Edit` \n6. Click on each `Question` \n - From the drop-down select an appropriate question\n - Click on the `Answer` section\n - Enter an appropriate answer \n - Follow process for all 3 questions\n7. Click `Update` when complete\n8. Save Questions and Answers and place in a secure physical location",
-          "AuditProcedure": "**From Console:**\n\n1. Login to the AWS account as the 'root' user\n2. On the top right you will see the _<Root\\_Account\\_Name>_\n3. Click on the _<Root\\_Account\\_Name>_\n4. From the drop-down menu Click `My Account` \n5. In the `Configure Security Challenge Questions` section on the `Personal Information` page, configure three security challenge questions.\n6. Click `Save questions` .",
+          "RemediationProcedure": "**From Console:**  1. Login to the AWS Account as the 'root' user 2. Click on the _<Root\\_Account\\_Name>_ from the top right of the console 3. From the drop-down menu Click _My Account_ 4. Scroll down to the `Configure Security Questions` section 5. Click on `Edit`  6. Click on each `Question`   - From the drop-down select an appropriate question  - Click on the `Answer` section  - Enter an appropriate answer   - Follow process for all 3 questions 7. Click `Update` when complete 8. Save Questions and Answers and place in a secure physical location",
+          "AuditProcedure": "**From Console:**  1. Login to the AWS account as the 'root' user 2. On the top right you will see the _<Root\\_Account\\_Name>_ 3. Click on the _<Root\\_Account\\_Name>_ 4. From the drop-down menu Click `My Account`  5. In the `Configure Security Challenge Questions` section on the `Personal Information` page, configure three security challenge questions. 6. Click `Save questions` .",
           "AdditionalInformation": "",
           "References": ""
         }
@@ -334,8 +335,8 @@
           "Description": "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed.",
           "RationaleStatement": "Removing access keys associated with the 'root' user account limits vectors by which the account can be compromised. Additionally, removing the 'root' access keys encourages the creation and use of role based accounts that are least privileged.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to delete or disable active 'root' user access keys\n\n**From Console:**\n\n1. Sign in to the AWS Management Console as 'root' and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. Click on _<Root\\_Account\\_Name>_ at the top right and select `My Security Credentials` from the drop down list\n3. On the pop out screen Click on `Continue to Security Credentials` \n4. Click on `Access Keys` _(Access Key ID and Secret Access Key)_\n5. Under the `Status` column if there are any Keys which are Active\n - Click on `Make Inactive` - (Temporarily disable Key - may be needed again)\n - Click `Delete` - (Deleted keys cannot be recovered)",
-          "AuditProcedure": "Perform the following to determine if the 'root' user account has access keys:\n\n**From Console:**\n\n1. Login to the AWS Management Console\n2. Click `Services` \n3. Click `IAM` \n4. Click on `Credential Report` \n5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file\n6. For the `<root_account>` user, ensure the `access_key_1_active` and `access_key_2_active` fields are set to `FALSE` .\n\n**From Command Line:**\n\nRun the following command:\n```\n aws iam get-account-summary | grep \"AccountAccessKeysPresent\" \n```\nIf no 'root' access keys exist the output will show \"AccountAccessKeysPresent\": 0,. \n\nIf the output shows a \"1\" than 'root' keys exist, refer to the remediation procedure below.",
+          "RemediationProcedure": "Perform the following to delete or disable active 'root' user access keys  **From Console:**  1. Sign in to the AWS Management Console as 'root' and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. Click on _<Root\\_Account\\_Name>_ at the top right and select `My Security Credentials` from the drop down list 3. On the pop out screen Click on `Continue to Security Credentials`  4. Click on `Access Keys` _(Access Key ID and Secret Access Key)_ 5. Under the `Status` column if there are any Keys which are Active  - Click on `Make Inactive` - (Temporarily disable Key - may be needed again)  - Click `Delete` - (Deleted keys cannot be recovered)",
+          "AuditProcedure": "Perform the following to determine if the 'root' user account has access keys:  **From Console:**  1. Login to the AWS Management Console 2. Click `Services`  3. Click `IAM`  4. Click on `Credential Report`  5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `<root_account>` user, ensure the `access_key_1_active` and `access_key_2_active` fields are set to `FALSE` .  **From Command Line:**  Run the following command: ```  aws iam get-account-summary | grep \"AccountAccessKeysPresent\"  ``` If no 'root' access keys exist the output will show \"AccountAccessKeysPresent\": 0,.   If the output shows a \"1\" than 'root' keys exist, refer to the remediation procedure below.",
           "AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables 'root' access only through access-keys (CLI, API methods) for us-gov cloud region.",
           "References": "http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html:https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/"
         }
@@ -352,11 +353,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.\n\n**Note:** When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. (\"non-personal virtual MFA\") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.",
+          "Description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.  **Note:** When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. (\"non-personal virtual MFA\") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.",
           "RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to establish MFA for the 'root' user account:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n\n Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.\n\n2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account.\n3. Choose `Activate MFA` \n4. In the wizard, choose `A virtual MFA` device and then choose `Next Step` .\n5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.\n6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](http://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications).) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).\n7. Determine whether the MFA app supports QR codes, and then do one of the following:\n\n - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.\n - In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.\n\nWhen you are finished, the virtual MFA device starts generating one-time passwords.\n\nIn the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Assign Virtual MFA.",
-          "AuditProcedure": "Perform the following to determine if the 'root' user account has MFA setup:\n\n**From Console:**\n\n1. Login to the AWS Management Console\n2. Click `Services` \n3. Click `IAM` \n4. Click on `Credential Report` \n5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file\n6. For the `<root_account>` user, ensure the `mfa_active` field is set to `TRUE` .\n\n**From Command Line:**\n\n1. Run the following command:\n```\n aws iam get-account-summary | grep \"AccountMFAEnabled\"\n```\n2. Ensure the AccountMFAEnabled property is set to 1",
+          "RemediationProcedure": "Perform the following to establish MFA for the 'root' user account:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).   Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.  2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`  4. In the wizard, choose `A virtual MFA` device and then choose `Next Step` . 5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](http://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications).) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following:   - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.  - In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.  When you are finished, the virtual MFA device starts generating one-time passwords.  In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Assign Virtual MFA.",
+          "AuditProcedure": "Perform the following to determine if the 'root' user account has MFA setup:  **From Console:**  1. Login to the AWS Management Console 2. Click `Services`  3. Click `IAM`  4. Click on `Credential Report`  5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `<root_account>` user, ensure the `mfa_active` field is set to `TRUE` .  **From Command Line:**  1. Run the following command: ```  aws iam get-account-summary | grep \"AccountMFAEnabled\" ``` 2. Ensure the AccountMFAEnabled property is set to 1",
           "AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions does not have console access. This recommendation is not applicable for us-gov cloud regions.",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root"
         }
@@ -374,10 +375,10 @@
           "Profile": "Level 2",
           "AssessmentStatus": "Automated",
           "Description": "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the 'root' user account be protected with a hardware MFA.",
-          "RationaleStatement": "A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.\n\n**Note**: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.",
+          "RationaleStatement": "A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.  **Note**: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to establish a hardware MFA for the 'root' user account:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\nNote: to manage MFA devices for the AWS 'root' user account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.\n2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account.\n3. Choose `Activate MFA` \n4. In the wizard, choose `A hardware MFA` device and then choose `Next Step` .\n5. In the `Serial Number` box, enter the serial number that is found on the back of the MFA device.\n6. In the `Authentication Code 1` box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number.\n7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the `Authentication Code 2` box. You might need to press the button on the front of the device again to display the second number.\n8. Choose `Next Step` . The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.\n\nRemediation for this recommendation is not available through AWS CLI.",
-          "AuditProcedure": "Perform the following to determine if the 'root' user account has a hardware MFA setup:\n\n1. Run the following command to determine if the 'root' account has MFA setup:\n```\n aws iam get-account-summary | grep \"AccountMFAEnabled\"\n```\n\nThe `AccountMFAEnabled` property is set to `1` will ensure that the 'root' user account has MFA (Virtual or Hardware) Enabled.\nIf `AccountMFAEnabled` property is set to `0` the account is not compliant with this recommendation.\n\n2. If `AccountMFAEnabled` property is set to `1`, determine 'root' account has Hardware MFA enabled.\nRun the following command to list all virtual MFA devices:\n```\n aws iam list-virtual-mfa-devices \n```\nIf the output contains one MFA with the following Serial Number, it means the MFA is virtual, not hardware and the account is not compliant with this recommendation:\n\n `\"SerialNumber\": \"arn:aws:iam::_<aws_account_number>_:mfa/root-account-mfa-device\"`",
+          "RemediationProcedure": "Perform the following to establish a hardware MFA for the 'root' user account:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the AWS 'root' user account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials. 2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`  4. In the wizard, choose `A hardware MFA` device and then choose `Next Step` . 5. In the `Serial Number` box, enter the serial number that is found on the back of the MFA device. 6. In the `Authentication Code 1` box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number. 7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the `Authentication Code 2` box. You might need to press the button on the front of the device again to display the second number. 8. Choose `Next Step` . The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.  Remediation for this recommendation is not available through AWS CLI.",
+          "AuditProcedure": "Perform the following to determine if the 'root' user account has a hardware MFA setup:  1. Run the following command to determine if the 'root' account has MFA setup: ```  aws iam get-account-summary | grep \"AccountMFAEnabled\" ```  The `AccountMFAEnabled` property is set to `1` will ensure that the 'root' user account has MFA (Virtual or Hardware) Enabled. If `AccountMFAEnabled` property is set to `0` the account is not compliant with this recommendation.  2. If `AccountMFAEnabled` property is set to `1`, determine 'root' account has Hardware MFA enabled. Run the following command to list all virtual MFA devices: ```  aws iam list-virtual-mfa-devices  ``` If the output contains one MFA with the following Serial Number, it means the MFA is virtual, not hardware and the account is not compliant with this recommendation:   `\"SerialNumber\": \"arn:aws:iam::_<aws_account_number>_:mfa/root-account-mfa-device\"`",
           "AdditionalInformation": "IAM User account 'root' for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions.",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html#enable-hw-mfa-for-root"
         }
@@ -397,9 +398,9 @@
           "Description": "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.",
           "RationaleStatement": "The 'root user' has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.",
           "ImpactStatement": "",
-          "RemediationProcedure": "If you find that the 'root' user account is being used for daily activity to include administrative tasks that do not require the 'root' user:\n\n1. Change the 'root' user password.\n2. Deactivate or delete any access keys associate with the 'root' user.\n\n**Remember, anyone who has 'root' user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.",
-          "AuditProcedure": "**From Console:**\n\n1. Login to the AWS Management Console at `https://console.aws.amazon.com/iam/`\n2. In the left pane, click `Credential Report`\n3. Click on `Download Report`\n4. Open of Save the file locally\n5. Locate the `<root account>` under the user column\n6. Review `password_last_used, access_key_1_last_used_date, access_key_2_last_used_date` to determine when the 'root user' was last used.\n\n**From Command Line:**\n\nRun the following CLI commands to provide a credential report for determining the last time the 'root user' was used:\n```\naws iam generate-credential-report\n```\n```\naws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,5,11,16 | grep -B1 '<root_account>'\n```\n\nReview `password_last_used`, `access_key_1_last_used_date`, `access_key_2_last_used_date` to determine when the _root user_ was last used.\n\n**Note:** There are a few conditions under which the use of the 'root' user account is required. Please see the reference links for all of the tasks that require use of the 'root' user.",
-          "AdditionalInformation": "The 'root' user for us-gov cloud regions is not enabled by default. However, on request to AWS support, they can enable the 'root' user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the 'root' user for us-gov cloud regions is enabled, this recommendation is applicable.\n\nMonitoring usage of the 'root' user can be accomplished by implementing recommendation 3.3 Ensure a log metric filter and alarm exist for usage of the 'root' user.",
+          "RemediationProcedure": "If you find that the 'root' user account is being used for daily activity to include administrative tasks that do not require the 'root' user:  1. Change the 'root' user password. 2. Deactivate or delete any access keys associate with the 'root' user.  **Remember, anyone who has 'root' user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.",
+          "AuditProcedure": "**From Console:**  1. Login to the AWS Management Console at `https://console.aws.amazon.com/iam/` 2. In the left pane, click `Credential Report` 3. Click on `Download Report` 4. Open of Save the file locally 5. Locate the `<root account>` under the user column 6. Review `password_last_used, access_key_1_last_used_date, access_key_2_last_used_date` to determine when the 'root user' was last used.  **From Command Line:**  Run the following CLI commands to provide a credential report for determining the last time the 'root user' was used: ``` aws iam generate-credential-report ``` ``` aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,5,11,16 | grep -B1 '<root_account>' ```  Review `password_last_used`, `access_key_1_last_used_date`, `access_key_2_last_used_date` to determine when the _root user_ was last used.  **Note:** There are a few conditions under which the use of the 'root' user account is required. Please see the reference links for all of the tasks that require use of the 'root' user.",
+          "AdditionalInformation": "The 'root' user for us-gov cloud regions is not enabled by default. However, on request to AWS support, they can enable the 'root' user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the 'root' user for us-gov cloud regions is enabled, this recommendation is applicable.  Monitoring usage of the 'root' user can be accomplished by implementing recommendation 3.3 Ensure a log metric filter and alarm exist for usage of the 'root' user.",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html:https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html"
         }
       ]
@@ -418,8 +419,8 @@
           "Description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.",
           "RationaleStatement": "Setting a password complexity policy increases account resiliency against brute force login attempts.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to set the password policy as prescribed:\n\n**From Console:**\n\n1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)\n2. Go to IAM Service on the AWS Console\n3. Click on Account Settings on the Left Pane\n4. Set \"Minimum password length\" to `14` or greater.\n5. Click \"Apply password policy\"\n\n**From Command Line:**\n```\n aws iam update-account-password-policy --minimum-password-length 14\n```\nNote: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.",
-          "AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:\n\n**From Console:**\n\n1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)\n2. Go to IAM Service on the AWS Console\n3. Click on Account Settings on the Left Pane\n4. Ensure \"Minimum password length\" is set to 14 or greater.\n\n**From Command Line:**\n```\naws iam get-account-password-policy\n```\nEnsure the output of the above command includes \"MinimumPasswordLength\": 14 (or higher)",
+          "RemediationProcedure": "Perform the following to set the password policy as prescribed:  **From Console:**  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Set \"Minimum password length\" to `14` or greater. 5. Click \"Apply password policy\"  **From Command Line:** ```  aws iam update-account-password-policy --minimum-password-length 14 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.",
+          "AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:  **From Console:**  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Minimum password length\" is set to 14 or greater.  **From Command Line:** ``` aws iam get-account-password-policy ``` Ensure the output of the above command includes \"MinimumPasswordLength\": 14 (or higher)",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy"
         }
@@ -439,8 +440,8 @@
           "Description": "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.",
           "RationaleStatement": "Preventing password reuse increases account resiliency against brute force login attempts.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to set the password policy as prescribed:\n\n**From Console:**\n\n1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)\n2. Go to IAM Service on the AWS Console\n3. Click on Account Settings on the Left Pane\n4. Check \"Prevent password reuse\"\n5. Set \"Number of passwords to remember\" is set to `24` \n\n**From Command Line:**\n```\n aws iam update-account-password-policy --password-reuse-prevention 24\n```\nNote: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.",
-          "AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:\n\n**From Console:**\n\n1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)\n2. Go to IAM Service on the AWS Console\n3. Click on Account Settings on the Left Pane\n4. Ensure \"Prevent password reuse\" is checked\n5. Ensure \"Number of passwords to remember\" is set to 24\n\n**From Command Line:**\n```\naws iam get-account-password-policy \n```\nEnsure the output of the above command includes \"PasswordReusePrevention\": 24",
+          "RemediationProcedure": "Perform the following to set the password policy as prescribed:  **From Console:**  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Check \"Prevent password reuse\" 5. Set \"Number of passwords to remember\" is set to `24`   **From Command Line:** ```  aws iam update-account-password-policy --password-reuse-prevention 24 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.",
+          "AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:  **From Console:**  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Prevent password reuse\" is checked 5. Ensure \"Number of passwords to remember\" is set to 24  **From Command Line:** ``` aws iam get-account-password-policy  ``` Ensure the output of the above command includes \"PasswordReusePrevention\": 24",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy"
         }
@@ -460,8 +461,8 @@
           "Description": "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.",
           "RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.",
           "ImpactStatement": "Amazon S3 buckets with default bucket encryption using SSE-KMS cannot be used as destination buckets for Amazon S3 server access logging. Only SSE-S3 default encryption is supported for server access log destination buckets.",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Select a Bucket.\n3. Click on 'Properties'.\n4. Click edit on `Default Encryption`.\n5. Select either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`.\n6. Click `Save`\n7. Repeat for all the buckets in your AWS account lacking encryption.\n\n**From Command Line:**\n\nRun either \n```\naws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}'\n```\n or \n```\naws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}'\n```\n\n**Note:** the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.",
-          "AuditProcedure": "**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Select a Bucket.\n3. Click on 'Properties'.\n4. Verify that `Default Encryption` is enabled, and displays either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`.\n5. Repeat for all the buckets in your AWS account.\n\n**From Command Line:**\n\n1. Run command to list buckets\n```\naws s3 ls\n```\n2. For each bucket, run \n```\naws s3api get-bucket-encryption --bucket <bucket name>\n```\n3. Verify that either \n```\n\"SSEAlgorithm\": \"AES256\"\n```\n or \n```\n\"SSEAlgorithm\": \"aws:kms\"```\n is displayed.",
+          "RemediationProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Select a Bucket. 3. Click on 'Properties'. 4. Click edit on `Default Encryption`. 5. Select either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 6. Click `Save` 7. Repeat for all the buckets in your AWS account lacking encryption.  **From Command Line:**  Run either  ``` aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}' ```  or  ``` aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}' ```  **Note:** the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.",
+          "AuditProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Select a Bucket. 3. Click on 'Properties'. 4. Verify that `Default Encryption` is enabled, and displays either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 5. Repeat for all the buckets in your AWS account.  **From Command Line:**  1. Run command to list buckets ``` aws s3 ls ``` 2. For each bucket, run  ``` aws s3api get-bucket-encryption --bucket <bucket name> ``` 3. Verify that either  ``` \"SSEAlgorithm\": \"AES256\" ```  or  ``` \"SSEAlgorithm\": \"aws:kms\"```  is displayed.",
           "AdditionalInformation": "S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does **not** encrypt objects previously stored within the bucket.",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html:https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources"
         }
@@ -481,8 +482,8 @@
           "Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.",
           "RationaleStatement": "By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on 'Permissions'.\n4. Click 'Bucket Policy'\n5. Add this to the existing policy filling in the required information\n```\n{\n \"Sid\": <optional>\",\n \"Effect\": \"Deny\",\n \"Principal\": \"*\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n }\n```\n6. Save\n7. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n**From Console** \n\nusing AWS Policy Generator:\n\n1. Repeat steps 1-4 above.\n2. Click on `Policy Generator` at the bottom of the Bucket Policy Editor\n3. Select Policy Type\n`S3 Bucket Policy`\n4. Add Statements\n- `Effect` = Deny\n- `Principal` = *\n- `AWS Service` = Amazon S3\n- `Actions` = *\n- `Amazon Resource Name` = <ARN of the S3 Bucket>\n5. Generate Policy\n6. Copy the text and add it to the Bucket Policy.\n\n**From Command Line:**\n\n1. Export the bucket policy to a json file.\n```\naws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output text > policy.json\n```\n\n2. Modify the policy.json file by adding in this statement:\n```\n{\n \"Sid\": <optional>\",\n \"Effect\": \"Deny\",\n \"Principal\": \"*\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n }\n```\n3. Apply this modified policy back to the S3 bucket:\n```\naws s3api put-bucket-policy --bucket <bucket_name> --policy file://policy.json\n```",
-          "AuditProcedure": "To allow access to HTTPS you can use a condition that checks for the key `\"aws:SecureTransport: true\"`. This means that the request is sent through HTTPS but that HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key \"aws:SecureTransport\": \"false\".\n\n**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on 'Permissions', then Click on `Bucket Policy`.\n4. Ensure that a policy is listed that matches:\n```\n'{\n \"Sid\": <optional>,\n \"Effect\": \"Deny\",\n \"Principal\": \"*\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }'\n```\n`<optional>` and `<bucket_name>` will be specific to your account\n\n5. Repeat for all the buckets in your AWS account.\n\n**From Command Line:**\n\n1. List all of the S3 Buckets \n```\naws s3 ls\n```\n2. Using the list of buckets run this command on each of them:\n```\naws s3api get-bucket-policy --bucket <bucket_name> | grep aws:SecureTransport\n```\n3. Confirm that `aws:SecureTransport` is set to false `aws:SecureTransport:false`\n4. Confirm that the policy line has Effect set to Deny 'Effect:Deny'",
+          "RemediationProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions'. 4. Click 'Bucket Policy' 5. Add this to the existing policy filling in the required information ``` {  \"Sid\": <optional>\",  \"Effect\": \"Deny\",  \"Principal\": \"*\",  \"Action\": \"s3:*\",  \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",  \"Condition\": {  \"Bool\": {  \"aws:SecureTransport\": \"false\"  }  }  } ``` 6. Save 7. Repeat for all the buckets in your AWS account that contain sensitive data.  **From Console**   using AWS Policy Generator:  1. Repeat steps 1-4 above. 2. Click on `Policy Generator` at the bottom of the Bucket Policy Editor 3. Select Policy Type `S3 Bucket Policy` 4. Add Statements - `Effect` = Deny - `Principal` = * - `AWS Service` = Amazon S3 - `Actions` = * - `Amazon Resource Name` = <ARN of the S3 Bucket> 5. Generate Policy 6. Copy the text and add it to the Bucket Policy.  **From Command Line:**  1. Export the bucket policy to a json file. ``` aws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output text > policy.json ```  2. Modify the policy.json file by adding in this statement: ``` {  \"Sid\": <optional>\",  \"Effect\": \"Deny\",  \"Principal\": \"*\",  \"Action\": \"s3:*\",  \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",  \"Condition\": {  \"Bool\": {  \"aws:SecureTransport\": \"false\"  }  }  } ``` 3. Apply this modified policy back to the S3 bucket: ``` aws s3api put-bucket-policy --bucket <bucket_name> --policy file://policy.json ```",
+          "AuditProcedure": "To allow access to HTTPS you can use a condition that checks for the key `\"aws:SecureTransport: true\"`. This means that the request is sent through HTTPS but that HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key \"aws:SecureTransport\": \"false\".  **From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions', then Click on `Bucket Policy`. 4. Ensure that a policy is listed that matches: ``` '{  \"Sid\": <optional>,  \"Effect\": \"Deny\",  \"Principal\": \"*\",  \"Action\": \"s3:*\",  \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",  \"Condition\": {  \"Bool\": {  \"aws:SecureTransport\": \"false\"  }' ``` `<optional>` and `<bucket_name>` will be specific to your account  5. Repeat for all the buckets in your AWS account.  **From Command Line:**  1. List all of the S3 Buckets  ``` aws s3 ls ``` 2. Using the list of buckets run this command on each of them: ``` aws s3api get-bucket-policy --bucket <bucket_name> | grep aws:SecureTransport ``` 3. Confirm that `aws:SecureTransport` is set to false `aws:SecureTransport:false` 4. Confirm that the policy line has Effect set to Deny 'Effect:Deny'",
           "AdditionalInformation": "",
           "References": "https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/:https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html"
         }
@@ -502,8 +503,8 @@
           "Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.",
           "RationaleStatement": "Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the steps below to enable MFA delete on an S3 bucket.\n\nNote:\n-You cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API.\n-You must use your 'root' account to enable MFA Delete on S3 buckets.\n\n**From Command line:**\n\n1. Run the s3api put-bucket-versioning command\n\n```\naws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode”\n```",
-          "AuditProcedure": "Perform the steps below to confirm MFA delete is configured on an S3 Bucket\n\n**From Console:**\n\n1. Login to the S3 console at `https://console.aws.amazon.com/s3/`\n\n2. Click the `Check` box next to the Bucket name you want to confirm\n\n3. In the window under `Properties`\n\n4. Confirm that Versioning is `Enabled`\n\n5. Confirm that MFA Delete is `Enabled`\n\n**From Command Line:**\n\n1. Run the `get-bucket-versioning`\n```\naws s3api get-bucket-versioning --bucket my-bucket\n```\n\nOutput example:\n```\n<VersioningConfiguration xmlns=\"http://s3.amazonaws.com/doc/2006-03-01/\"> \n <Status>Enabled</Status>\n <MfaDelete>Enabled</MfaDelete> \n</VersioningConfiguration>\n```\n\nIf the Console or the CLI output does not show Versioning and MFA Delete `enabled` refer to the remediation below.",
+          "RemediationProcedure": "Perform the steps below to enable MFA delete on an S3 bucket.  Note: -You cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API. -You must use your 'root' account to enable MFA Delete on S3 buckets.  **From Command line:**  1. Run the s3api put-bucket-versioning command  ``` aws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode” ```",
+          "AuditProcedure": "Perform the steps below to confirm MFA delete is configured on an S3 Bucket  **From Console:**  1. Login to the S3 console at `https://console.aws.amazon.com/s3/`  2. Click the `Check` box next to the Bucket name you want to confirm  3. In the window under `Properties`  4. Confirm that Versioning is `Enabled`  5. Confirm that MFA Delete is `Enabled`  **From Command Line:**  1. Run the `get-bucket-versioning` ``` aws s3api get-bucket-versioning --bucket my-bucket ```  Output example: ``` <VersioningConfiguration xmlns=\"http://s3.amazonaws.com/doc/2006-03-01/\">   <Status>Enabled</Status>  <MfaDelete>Enabled</MfaDelete>  </VersioningConfiguration> ```  If the Console or the CLI output does not show Versioning and MFA Delete `enabled` refer to the remediation below.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete:https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html:https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html"
         }
@@ -521,10 +522,10 @@
           "Profile": "Level 2",
           "AssessmentStatus": "Manual",
           "Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.",
-          "RationaleStatement": "Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.\n\nAmazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.",
+          "RationaleStatement": "Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.  Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.",
           "ImpactStatement": "There is a cost associated with using Amazon Macie. There is also typically a cost associated with 3rd Party tools that perform similar processes and protection.",
-          "RemediationProcedure": "Perform the steps below to enable and configure Amazon Macie\n\n**From Console:**\n\n1. Log on to the Macie console at `https://console.aws.amazon.com/macie/`\n\n2. Click `Get started`.\n\n3. Click `Enable Macie`.\n\nSetup a repository for sensitive data discovery results\n\n1. In the Left pane, under Settings, click `Discovery results`.\n\n2. Make sure `Create bucket` is selected.\n\n3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.\n\n4. Click on `Advanced`.\n\n5. Block all public access, make sure `Yes` is selected.\n\n6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.\n\n7. Click on `Save`\n\nCreate a job to discover sensitive data\n\n1. In the left pane, click `S3 buckets`. Macie displays a list of all the S3 buckets for your account.\n\n2. Select the `check box` for each bucket that you want Macie to analyze as part of the job\n\n3. Click `Create job`.\n\n3. Click `Quick create`.\n\n4. For the Name and description step, enter a name and, optionally, a description of the job.\n\n5. Then click `Next`.\n\n6. For the Review and create step, click `Submit`.\n\nReview your findings\n\n1. In the left pane, click `Findings`.\n\n2. To view the details of a specific finding, choose any field other than the check box for the finding.\n\nIf you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.",
-          "AuditProcedure": "Perform the following steps to determine if Macie is running:\n\n**From Console:**\n\n 1. Login to the Macie console at https://console.aws.amazon.com/macie/\n\n 2. In the left hand pane click on By job under findings.\n\n 3. Confirm that you have a Job setup for your S3 Buckets\n\nWhen you log into the Macie console if you aren't taken to the summary page and you don't have a job setup and running then refer to the remediation procedure below.\n\nIf you are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation.",
+          "RemediationProcedure": "Perform the steps below to enable and configure Amazon Macie  **From Console:**  1. Log on to the Macie console at `https://console.aws.amazon.com/macie/`  2. Click `Get started`.  3. Click `Enable Macie`.  Setup a repository for sensitive data discovery results  1. In the Left pane, under Settings, click `Discovery results`.  2. Make sure `Create bucket` is selected.  3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.  4. Click on `Advanced`.  5. Block all public access, make sure `Yes` is selected.  6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.  7. Click on `Save`  Create a job to discover sensitive data  1. In the left pane, click `S3 buckets`. Macie displays a list of all the S3 buckets for your account.  2. Select the `check box` for each bucket that you want Macie to analyze as part of the job  3. Click `Create job`.  3. Click `Quick create`.  4. For the Name and description step, enter a name and, optionally, a description of the job.  5. Then click `Next`.  6. For the Review and create step, click `Submit`.  Review your findings  1. In the left pane, click `Findings`.  2. To view the details of a specific finding, choose any field other than the check box for the finding.  If you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.",
+          "AuditProcedure": "Perform the following steps to determine if Macie is running:  **From Console:**   1. Login to the Macie console at https://console.aws.amazon.com/macie/   2. In the left hand pane click on By job under findings.   3. Confirm that you have a Job setup for your S3 Buckets  When you log into the Macie console if you aren't taken to the summary page and you don't have a job setup and running then refer to the remediation procedure below.  If you are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation.",
           "AdditionalInformation": "",
           "References": "https://aws.amazon.com/macie/getting-started/:https://docs.aws.amazon.com/workspaces/latest/adminguide/data-protection.html:https://docs.aws.amazon.com/macie/latest/user/data-classification.html"
         }
@@ -543,10 +544,10 @@
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
           "Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.",
-          "RationaleStatement": "Amazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective bucket(s). \n\nAmazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.\n\nWhether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.",
+          "RationaleStatement": "Amazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective bucket(s).   Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.  Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.",
           "ImpactStatement": "When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.",
-          "RemediationProcedure": "**If utilizing Block Public Access (bucket settings)**\n\n**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Select the Check box next to the Bucket.\n3. Click on 'Edit public access settings'.\n4. Click 'Block all public access'\n5. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n**From Command Line:**\n\n1. List all of the S3 Buckets\n```\naws s3 ls\n```\n2. Set the Block Public Access to true on that bucket\n```\naws s3api put-public-access-block --bucket <name-of-bucket> --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\"\n```\n\n**If utilizing Block Public Access (account settings)**\n\n**From Console:**\n\nIf the output reads `true` for the separate configuration settings then it is set on the account.\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Choose `Block Public Access (account settings)`\n3. Choose `Edit` to change the block public access settings for all the buckets in your AWS account\n4. Choose the settings you want to change, and then choose `Save`. For details about each setting, pause on the `i` icons.\n5. When you're asked for confirmation, enter `confirm`. Then Click `Confirm` to save your changes.\n\n**From Command Line:**\n\nTo set Block Public access settings for this account, run the following command:\n```\naws s3control put-public-access-block\n--public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true\n--account-id <value>\n```",
-          "AuditProcedure": "**If utilizing Block Public Access (bucket settings)**\n\n**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Select the Check box next to the Bucket.\n3. Click on 'Edit public access settings'.\n4. Ensure that block public access settings are set appropriately for this bucket\n5. Repeat for all the buckets in your AWS account.\n\n**From Command Line:**\n\n1. List all of the S3 Buckets\n```\naws s3 ls\n```\n2. Find the public access setting on that bucket\n```\naws s3api get-public-access-block --bucket <name-of-the-bucket>\n```\nOutput if Block Public access is enabled:\n\n```\n{\n \"PublicAccessBlockConfiguration\": {\n \"BlockPublicAcls\": true,\n \"IgnorePublicAcls\": true,\n \"BlockPublicPolicy\": true,\n \"RestrictPublicBuckets\": true\n }\n}\n```\n\nIf the output reads `false` for the separate configuration settings then proceed to the remediation.\n\n**If utilizing Block Public Access (account settings)**\n\n**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Choose `Block public access (account settings)`\n3. Ensure that block public access settings are set appropriately for your AWS account.\n\n**From Command Line:**\n\nTo check Public access settings for this account status, run the following command,\n`aws s3control get-public-access-block --account-id <ACCT_ID> --region <REGION_NAME>`\n\nOutput if Block Public access is enabled:\n\n```\n{\n \"PublicAccessBlockConfiguration\": {\n \"IgnorePublicAcls\": true, \n \"BlockPublicPolicy\": true, \n \"BlockPublicAcls\": true, \n \"RestrictPublicBuckets\": true\n }\n}\n```\n\nIf the output reads `false` for the separate configuration settings then proceed to the remediation.",
+          "RemediationProcedure": "**If utilizing Block Public Access (bucket settings)**  **From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Click 'Block all public access' 5. Repeat for all the buckets in your AWS account that contain sensitive data.  **From Command Line:**  1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Set the Block Public Access to true on that bucket ``` aws s3api put-public-access-block --bucket <name-of-bucket> --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\" ```  **If utilizing Block Public Access (account settings)**  **From Console:**  If the output reads `true` for the separate configuration settings then it is set on the account.  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Choose `Block Public Access (account settings)` 3. Choose `Edit` to change the block public access settings for all the buckets in your AWS account 4. Choose the settings you want to change, and then choose `Save`. For details about each setting, pause on the `i` icons. 5. When you're asked for confirmation, enter `confirm`. Then Click `Confirm` to save your changes.  **From Command Line:**  To set Block Public access settings for this account, run the following command: ``` aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id <value> ```",
+          "AuditProcedure": "**If utilizing Block Public Access (bucket settings)**  **From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Ensure that block public access settings are set appropriately for this bucket 5. Repeat for all the buckets in your AWS account.  **From Command Line:**  1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Find the public access setting on that bucket ``` aws s3api get-public-access-block --bucket <name-of-the-bucket> ``` Output if Block Public access is enabled:  ``` {  \"PublicAccessBlockConfiguration\": {  \"BlockPublicAcls\": true,  \"IgnorePublicAcls\": true,  \"BlockPublicPolicy\": true,  \"RestrictPublicBuckets\": true  } } ```  If the output reads `false` for the separate configuration settings then proceed to the remediation.  **If utilizing Block Public Access (account settings)**  **From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Choose `Block public access (account settings)` 3. Ensure that block public access settings are set appropriately for your AWS account.  **From Command Line:**  To check Public access settings for this account status, run the following command, `aws s3control get-public-access-block --account-id <ACCT_ID> --region <REGION_NAME>`  Output if Block Public access is enabled:  ``` {  \"PublicAccessBlockConfiguration\": {  \"IgnorePublicAcls\": true,   \"BlockPublicPolicy\": true,   \"BlockPublicAcls\": true,   \"RestrictPublicBuckets\": true  } } ```  If the output reads `false` for the separate configuration settings then proceed to the remediation.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html"
         }
@@ -566,8 +567,8 @@
           "Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.",
           "RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.",
           "ImpactStatement": "Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/ \n2. Under `Account attributes`, click `EBS encryption`.\n3. Click `Manage`.\n4. Click the `Enable` checkbox.\n5. Click `Update EBS encryption`\n6. Repeat for every region requiring the change.\n\n**Note:** EBS volume encryption is configured per region.\n\n**From Command Line:**\n\n1. Run \n```\naws --region <region> ec2 enable-ebs-encryption-by-default\n```\n2. Verify that `\"EbsEncryptionByDefault\": true` is displayed.\n3. Repeat every region requiring the change.\n\n**Note:** EBS volume encryption is configured per region.",
-          "AuditProcedure": "**From Console:**\n\n1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/ \n2. Under `Account attributes`, click `EBS encryption`.\n3. Verify `Always encrypt new EBS volumes` displays `Enabled`.\n4. Review every region in-use.\n\n**Note:** EBS volume encryption is configured per region.\n\n**From Command Line:**\n\n1. Run \n```\naws --region <region> ec2 get-ebs-encryption-by-default\n```\n2. Verify that `\"EbsEncryptionByDefault\": true` is displayed.\n3. Review every region in-use.\n\n**Note:** EBS volume encryption is configured per region.",
+          "RemediationProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/  2. Under `Account attributes`, click `EBS encryption`. 3. Click `Manage`. 4. Click the `Enable` checkbox. 5. Click `Update EBS encryption` 6. Repeat for every region requiring the change.  **Note:** EBS volume encryption is configured per region.  **From Command Line:**  1. Run  ``` aws --region <region> ec2 enable-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Repeat every region requiring the change.  **Note:** EBS volume encryption is configured per region.",
+          "AuditProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/  2. Under `Account attributes`, click `EBS encryption`. 3. Verify `Always encrypt new EBS volumes` displays `Enabled`. 4. Review every region in-use.  **Note:** EBS volume encryption is configured per region.  **From Command Line:**  1. Run  ``` aws --region <region> ec2 get-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Review every region in-use.  **Note:** EBS volume encryption is configured per region.",
           "AdditionalInformation": "Default EBS volume encryption only applies to newly created EBS volumes. Existing EBS volumes are **not** converted automatically.",
           "References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html:https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/"
         }
@@ -587,8 +588,8 @@
           "Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.",
           "RationaleStatement": "Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/.\n2. In the left navigation panel, click on `Databases`\n3. Select the Database instance that needs to be encrypted.\n4. Click on `Actions` button placed at the top right and select `Take Snapshot`.\n5. On the Take Snapshot page, enter a database name of which you want to take a snapshot in the `Snapshot Name` field and click on `Take Snapshot`.\n6. Select the newly created snapshot and click on the `Action` button placed at the top right and select `Copy snapshot` from the Action menu.\n7. On the Make Copy of DB Snapshot page, perform the following:\n\n- In the New DB Snapshot Identifier field, Enter a name for the `new snapshot`.\n- Check `Copy Tags`, New snapshot must have the same tags as the source snapshot.\n- Select `Yes` from the `Enable Encryption` dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.\n\n8. Click `Copy Snapshot` to create an encrypted copy of the selected instance snapshot.\n9. Select the new Snapshot Encrypted Copy and click on the `Action` button placed at the top right and select `Restore Snapshot` button from the Action menu, This will restore the encrypted snapshot to a new database instance.\n10. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field.\n11. Review the instance configuration details and click `Restore DB Instance`.\n12. As the new instance provisioning process is completed can update application configuration to refer to the endpoint of the new Encrypted database instance Once the database endpoint is changed at the application level, can remove the unencrypted instance.\n\n**From Command Line:**\n\n1. Run `describe-db-instances` command to list all RDS database names available in the selected AWS region, The command output should return the database instance identifier.\n```\naws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n2. Run `create-db-snapshot` command to create a snapshot for the selected database instance, The command output will return the `new snapshot` with name DB Snapshot Name.\n```\naws rds create-db-snapshot --region <region-name> --db-snapshot-identifier <DB-Snapshot-Name> --db-instance-identifier <DB-Name>\n```\n3. Now run `list-aliases` command to list the KMS keys aliases available in a specified region, The command output should return each `key alias currently available`. For our RDS encryption activation process, locate the ID of the AWS default KMS key.\n```\naws kms list-aliases --region <region-name>\n```\n4. Run `copy-db-snapshot` command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot, The command output will return the `encrypted instance snapshot configuration`.\n```\naws rds copy-db-snapshot --region <region-name> --source-db-snapshot-identifier <DB-Snapshot-Name> --target-db-snapshot-identifier <DB-Snapshot-Name-Encrypted> --copy-tags --kms-key-id <KMS-ID-For-RDS>\n```\n5. Run `restore-db-instance-from-db-snapshot` command to restore the encrypted snapshot created at the previous step to a new database instance, If successful, the command output should return the new encrypted database instance configuration.\n```\naws rds restore-db-instance-from-db-snapshot --region <region-name> --db-instance-identifier <DB-Name-Encrypted> --db-snapshot-identifier <DB-Snapshot-Name-Encrypted>\n```\n6. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region, Output will return database instance identifier name Select encrypted database name that we just created DB-Name-Encrypted.\n```\naws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n7. Run again `describe-db-instances` command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True`.\n```\naws rds describe-db-instances --region <region-name> --db-instance-identifier <DB-Name-Encrypted> --query 'DBInstances[*].StorageEncrypted'\n```",
-          "AuditProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/\n2. In the navigation pane, under RDS dashboard, click `Databases`.\n3. Select the RDS Instance that you want to examine\n4. Click `Instance Name` to see details, then click on `Configuration` tab.\n5. Under Configuration Details section, In Storage pane search for the `Encryption Enabled` Status.\n6. If the current status is set to `Disabled`, Encryption is not enabled for the selected RDS Instance database instance.\n7. Repeat steps 3 to 7 to verify encryption status of other RDS Instance in same region.\n8. Change region from the top of the navigation bar and repeat audit for other regions.\n\n**From Command Line:**\n\n1. Run `describe-db-instances` command to list all RDS Instance database names, available in the selected AWS region, Output will return each Instance database identifier-name.\n ```\naws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n2. Run again `describe-db-instances` command using the RDS Instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True` Or `False`.\n```\naws rds describe-db-instances --region <region-name> --db-instance-identifier <DB-Name> --query 'DBInstances[*].StorageEncrypted'\n```\n3. If the StorageEncrypted parameter value is `False`, Encryption is not enabled for the selected RDS database instance.\n4. Repeat steps 1 to 3 for auditing each RDS Instance and change Region to verify for other regions",
+          "RemediationProcedure": "**From Console:**  1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases` 3. Select the Database instance that needs to be encrypted. 4. Click on `Actions` button placed at the top right and select `Take Snapshot`. 5. On the Take Snapshot page, enter a database name of which you want to take a snapshot in the `Snapshot Name` field and click on `Take Snapshot`. 6. Select the newly created snapshot and click on the `Action` button placed at the top right and select `Copy snapshot` from the Action menu. 7. On the Make Copy of DB Snapshot page, perform the following:  - In the New DB Snapshot Identifier field, Enter a name for the `new snapshot`. - Check `Copy Tags`, New snapshot must have the same tags as the source snapshot. - Select `Yes` from the `Enable Encryption` dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.  8. Click `Copy Snapshot` to create an encrypted copy of the selected instance snapshot. 9. Select the new Snapshot Encrypted Copy and click on the `Action` button placed at the top right and select `Restore Snapshot` button from the Action menu, This will restore the encrypted snapshot to a new database instance. 10. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field. 11. Review the instance configuration details and click `Restore DB Instance`. 12. As the new instance provisioning process is completed can update application configuration to refer to the endpoint of the new Encrypted database instance Once the database endpoint is changed at the application level, can remove the unencrypted instance.  **From Command Line:**  1. Run `describe-db-instances` command to list all RDS database names available in the selected AWS region, The command output should return the database instance identifier. ``` aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run `create-db-snapshot` command to create a snapshot for the selected database instance, The command output will return the `new snapshot` with name DB Snapshot Name. ``` aws rds create-db-snapshot --region <region-name> --db-snapshot-identifier <DB-Snapshot-Name> --db-instance-identifier <DB-Name> ``` 3. Now run `list-aliases` command to list the KMS keys aliases available in a specified region, The command output should return each `key alias currently available`. For our RDS encryption activation process, locate the ID of the AWS default KMS key. ``` aws kms list-aliases --region <region-name> ``` 4. Run `copy-db-snapshot` command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot, The command output will return the `encrypted instance snapshot configuration`. ``` aws rds copy-db-snapshot --region <region-name> --source-db-snapshot-identifier <DB-Snapshot-Name> --target-db-snapshot-identifier <DB-Snapshot-Name-Encrypted> --copy-tags --kms-key-id <KMS-ID-For-RDS> ``` 5. Run `restore-db-instance-from-db-snapshot` command to restore the encrypted snapshot created at the previous step to a new database instance, If successful, the command output should return the new encrypted database instance configuration. ``` aws rds restore-db-instance-from-db-snapshot --region <region-name> --db-instance-identifier <DB-Name-Encrypted> --db-snapshot-identifier <DB-Snapshot-Name-Encrypted> ``` 6. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region, Output will return database instance identifier name Select encrypted database name that we just created DB-Name-Encrypted. ``` aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier' ``` 7. Run again `describe-db-instances` command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True`. ``` aws rds describe-db-instances --region <region-name> --db-instance-identifier <DB-Name-Encrypted> --query 'DBInstances[*].StorageEncrypted' ```",
+          "AuditProcedure": "**From Console:**  1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/ 2. In the navigation pane, under RDS dashboard, click `Databases`. 3. Select the RDS Instance that you want to examine 4. Click `Instance Name` to see details, then click on `Configuration` tab. 5. Under Configuration Details section, In Storage pane search for the `Encryption Enabled` Status. 6. If the current status is set to `Disabled`, Encryption is not enabled for the selected RDS Instance database instance. 7. Repeat steps 3 to 7 to verify encryption status of other RDS Instance in same region. 8. Change region from the top of the navigation bar and repeat audit for other regions.  **From Command Line:**  1. Run `describe-db-instances` command to list all RDS Instance database names, available in the selected AWS region, Output will return each Instance database identifier-name.  ``` aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run again `describe-db-instances` command using the RDS Instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True` Or `False`. ``` aws rds describe-db-instances --region <region-name> --db-instance-identifier <DB-Name> --query 'DBInstances[*].StorageEncrypted' ``` 3. If the StorageEncrypted parameter value is `False`, Encryption is not enabled for the selected RDS database instance. 4. Repeat steps 1 to 3 for auditing each RDS Instance and change Region to verify for other regions",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html:https://aws.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/#:~:text=With%20RDS%2Dencrypted%20resources%2C%20data,transparent%20to%20your%20database%20engine.:https://aws.amazon.com/rds/features/security/"
         }
@@ -608,8 +609,8 @@
           "Description": "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.",
           "RationaleStatement": "AWS RDS will occasionally deprecate minor engine versions and provide new ones for an upgrade. When the last version number within the release is replaced, the version changed is considered minor. With Auto Minor Version Upgrade feature enabled, the version upgrades will occur automatically during the specified maintenance window so your RDS instances can get the new features, bug fixes, and security patches for their database engines.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.\n2. In the left navigation panel, click on `Databases`.\n3. Select the RDS instance that wants to update.\n4. Click on the `Modify` button placed on the top right side.\n5. On the `Modify DB Instance: <instance identifier>` page, In the `Maintenance` section, select `Auto minor version upgrade` click on the `Yes` radio button.\n6. At the bottom of the page click on `Continue`, check to Apply Immediately to apply the changes immediately, or select `Apply during the next scheduled maintenance window` to avoid any downtime.\n7. Review the changes and click on `Modify DB Instance`. The instance status should change from available to modifying and back to available. Once the feature is enabled, the `Auto Minor Version Upgrade` status should change to `Yes`.\n\n**From Command Line:**\n\n1. Run `describe-db-instances` command to list all RDS database instance names, available in the selected AWS region:\n```\naws rds describe-db-instances --region <regionName> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n2. The command output should return each database instance identifier.\n3. Run the `modify-db-instance` command to modify the selected RDS instance configuration this command will apply the changes immediately, Remove `--apply-immediately` to apply changes during the next scheduled maintenance window and avoid any downtime:\n```\naws rds modify-db-instance --region <regionName> --db-instance-identifier <dbInstanceIdentifier> --auto-minor-version-upgrade --apply-immediately\n```\n4. The command output should reveal the new configuration metadata for the RDS instance and check `AutoMinorVersionUpgrade` parameter value.\n5. Run `describe-db-instances` command to check if the Auto Minor Version Upgrade feature has been successfully enable:\n```\naws rds describe-db-instances --region <regionName> --db-instance-identifier <dbInstanceIdentifier> --query 'DBInstances[*].AutoMinorVersionUpgrade'\n```\n6. The command output should return the feature current status set to `true`, the feature is `enabled` and the minor engine upgrades will be applied to the selected RDS instance.",
-          "AuditProcedure": "**From Console:**\n\n1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.\n2. In the left navigation panel, click on `Databases`.\n3. Select the RDS instance that wants to examine.\n4. Click on the `Maintenance and backups` panel.\n5. Under the `Maintenance` section, search for the Auto Minor Version Upgrade status.\n- If the current status is set to `Disabled`, means the feature is not set and the minor engine upgrades released will not be applied to the selected RDS instance\n\n**From Command Line:**\n\n1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region:\n```\naws rds describe-db-instances --region <regionName> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n2. The command output should return each database instance identifier.\n3. Run again `describe-db-instances` command using the RDS instance identifier returned earlier to determine the Auto Minor Version Upgrade status for the selected instance:\n```\naws rds describe-db-instances --region <regionName> --db-instance-identifier <dbInstanceIdentifier> --query 'DBInstances[*].AutoMinorVersionUpgrade'\n```\n4. The command output should return the feature current status. If the current status is set to `true`, the feature is enabled and the minor engine upgrades will be applied to the selected RDS instance.",
+          "RemediationProcedure": "**From Console:**  1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases`. 3. Select the RDS instance that wants to update. 4. Click on the `Modify` button placed on the top right side. 5. On the `Modify DB Instance: <instance identifier>` page, In the `Maintenance` section, select `Auto minor version upgrade` click on the `Yes` radio button. 6. At the bottom of the page click on `Continue`, check to Apply Immediately to apply the changes immediately, or select `Apply during the next scheduled maintenance window` to avoid any downtime. 7. Review the changes and click on `Modify DB Instance`. The instance status should change from available to modifying and back to available. Once the feature is enabled, the `Auto Minor Version Upgrade` status should change to `Yes`.  **From Command Line:**  1. Run `describe-db-instances` command to list all RDS database instance names, available in the selected AWS region: ``` aws rds describe-db-instances --region <regionName> --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run the `modify-db-instance` command to modify the selected RDS instance configuration this command will apply the changes immediately, Remove `--apply-immediately` to apply changes during the next scheduled maintenance window and avoid any downtime: ``` aws rds modify-db-instance --region <regionName> --db-instance-identifier <dbInstanceIdentifier> --auto-minor-version-upgrade --apply-immediately ``` 4. The command output should reveal the new configuration metadata for the RDS instance and check `AutoMinorVersionUpgrade` parameter value. 5. Run `describe-db-instances` command to check if the Auto Minor Version Upgrade feature has been successfully enable: ``` aws rds describe-db-instances --region <regionName> --db-instance-identifier <dbInstanceIdentifier> --query 'DBInstances[*].AutoMinorVersionUpgrade' ``` 6. The command output should return the feature current status set to `true`, the feature is `enabled` and the minor engine upgrades will be applied to the selected RDS instance.",
+          "AuditProcedure": "**From Console:**  1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases`. 3. Select the RDS instance that wants to examine. 4. Click on the `Maintenance and backups` panel. 5. Under the `Maintenance` section, search for the Auto Minor Version Upgrade status. - If the current status is set to `Disabled`, means the feature is not set and the minor engine upgrades released will not be applied to the selected RDS instance  **From Command Line:**  1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region: ``` aws rds describe-db-instances --region <regionName> --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run again `describe-db-instances` command using the RDS instance identifier returned earlier to determine the Auto Minor Version Upgrade status for the selected instance: ``` aws rds describe-db-instances --region <regionName> --db-instance-identifier <dbInstanceIdentifier> --query 'DBInstances[*].AutoMinorVersionUpgrade' ``` 4. The command output should return the feature current status. If the current status is set to `true`, the feature is enabled and the minor engine upgrades will be applied to the selected RDS instance.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html:https://aws.amazon.com/rds/faqs/"
         }
@@ -629,8 +630,8 @@
           "Description": "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.",
           "RationaleStatement": "Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. When the RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.\n2. Under the navigation panel, On RDS Dashboard, click `Databases`.\n3. Select the RDS instance that you want to update.\n4. Click `Modify` from the dashboard top menu.\n5. On the Modify DB Instance panel, under the `Connectivity` section, click on `Additional connectivity configuration` and update the value for `Publicly Accessible` to Not publicly accessible to restrict public access. Follow the below steps to update subnet configurations:\n- Select the `Connectivity and security` tab, and click on the VPC attribute value inside the `Networking` section.\n- Select the `Details` tab from the VPC dashboard bottom panel and click on Route table configuration attribute value.\n- On the Route table details page, select the Routes tab from the dashboard bottom panel and click on `Edit routes`.\n- On the Edit routes page, update the Destination of Target which is set to `igw-xxxxx` and click on `Save` routes.\n6. On the Modify DB Instance panel Click on `Continue` and In the Scheduling of modifications section, perform one of the following actions based on your requirements:\n- Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.\n- Select Apply immediately to apply the changes right away. With this option, any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for the application.\n7. Repeat steps 3 to 6 for each RDS instance available in the current region.\n8. Change the AWS region from the navigation bar to repeat the process for other regions.\n\n**From Command Line:**\n\n1. Run `describe-db-instances` command to list all RDS database names identifiers, available in the selected AWS region:\n```\naws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n2. The command output should return each database instance identifier.\n3. Run `modify-db-instance` command to modify the selected RDS instance configuration. Then use the following command to disable the `Publicly Accessible` flag for the selected RDS instances. This command use the apply-immediately flag. If you want `to avoid any downtime --no-apply-immediately flag can be used`:\n```\naws rds modify-db-instance --region <region-name> --db-instance-identifier <db-name> --no-publicly-accessible --apply-immediately\n```\n4. The command output should reveal the `PubliclyAccessible` configuration under pending values and should get applied at the specified time.\n5. Updating the Internet Gateway Destination via AWS CLI is not currently supported To update information about Internet Gateway use the AWS Console Procedure.\n6. Repeat steps 1 to 5 for each RDS instance provisioned in the current region.\n7. Change the AWS region by using the --region filter to repeat the process for other regions.",
-          "AuditProcedure": "**From Console:**\n\n1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.\n2. Under the navigation panel, On RDS Dashboard, click `Databases`.\n3. Select the RDS instance that you want to examine.\n4. Click `Instance Name` from the dashboard, Under `Connectivity and Security.\n5. On the `Security`, check if the Publicly Accessible flag status is set to `Yes`, follow the below-mentioned steps to check database subnet access.\n- In the `networking` section, click the subnet link available under `Subnets`\n- The link will redirect you to the VPC Subnets page.\n- Select the subnet listed on the page and click the `Route Table` tab from the dashboard bottom panel. If the route table contains any entries with the destination `CIDR block set to 0.0.0.0/0` and with an `Internet Gateway` attached.\n- The selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and can be accessible from the Internet.\n6. Repeat steps no. 4 and 5 to determine the type (public or private) and subnet for other RDS database instances provisioned in the current region.\n8. Change the AWS region from the navigation bar and repeat the audit process for other regions.\n\n**From Command Line:**\n\n1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region:\n```\naws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n2. The command output should return each database instance `identifier`.\n3. Run again `describe-db-instances` command using the `PubliclyAccessible` parameter as query filter to reveal the database instance Publicly Accessible flag status:\n```\naws rds describe-db-instances --region <region-name> --db-instance-identifier <db-instance-name> --query 'DBInstances[*].PubliclyAccessible'\n```\n4. Check for the Publicly Accessible parameter status, If the Publicly Accessible flag is set to `Yes`. Then selected RDS database instance is publicly accessible and insecure, follow the below-mentioned steps to check database subnet access\n5. Run again `describe-db-instances` command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC subnet(s) associated with the selected instance:\n```\naws rds describe-db-instances --region <region-name> --db-instance-identifier <db-name> --query 'DBInstances[*].DBSubnetGroup.Subnets[]'\n```\n- The command output should list the subnets available in the selected database subnet group.\n6. Run `describe-route-tables` command using the ID of the subnet returned at the previous step to describe the routes of the VPC route table associated with the selected subnet:\n```\naws ec2 describe-route-tables --region <region-name> --filters \"Name=association.subnet-id,Values=<SubnetID>\" --query 'RouteTables[*].Routes[]'\n```\n- If the command returns the route table associated with database instance subnet ID. Check the `GatewayId` and `DestinationCidrBlock` attributes values returned in the output. If the route table contains any entries with the `GatewayId` value set to `igw-xxxxxxxx` and the `DestinationCidrBlock` value set to `0.0.0.0/0`, the selected RDS database instance was provisioned inside a public subnet.\n- Or\n- If the command returns empty results, the route table is implicitly associated with subnet, therefore the audit process continues with the next step\n7. Run again `describe-db-instances` command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC ID associated with the selected instance:\n```\naws rds describe-db-instances --region <region-name> --db-instance-identifier <db-name> --query 'DBInstances[*].DBSubnetGroup.VpcId'\n```\n- The command output should show the VPC ID in the selected database subnet group\n8. Now run `describe-route-tables` command using the ID of the VPC returned at the previous step to describe the routes of the VPC main route table implicitly associated with the selected subnet:\n```\naws ec2 describe-route-tables --region <region-name> --filters \"Name=vpc-id,Values=<VPC-ID>\" \"Name=association.main,Values=true\" --query 'RouteTables[*].Routes[]'\n```\n- The command output returns the VPC main route table implicitly associated with database instance subnet ID. Check the `GatewayId` and `DestinationCidrBlock` attributes values returned in the output. If the route table contains any entries with the `GatewayId` value set to `igw-xxxxxxxx` and the `DestinationCidrBlock` value set to `0.0.0.0/0`, the selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and does not adhere to AWS security best practices.",
+          "RemediationProcedure": "**From Console:**  1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. Under the navigation panel, On RDS Dashboard, click `Databases`. 3. Select the RDS instance that you want to update. 4. Click `Modify` from the dashboard top menu. 5. On the Modify DB Instance panel, under the `Connectivity` section, click on `Additional connectivity configuration` and update the value for `Publicly Accessible` to Not publicly accessible to restrict public access. Follow the below steps to update subnet configurations: - Select the `Connectivity and security` tab, and click on the VPC attribute value inside the `Networking` section. - Select the `Details` tab from the VPC dashboard bottom panel and click on Route table configuration attribute value. - On the Route table details page, select the Routes tab from the dashboard bottom panel and click on `Edit routes`. - On the Edit routes page, update the Destination of Target which is set to `igw-xxxxx` and click on `Save` routes. 6. On the Modify DB Instance panel Click on `Continue` and In the Scheduling of modifications section, perform one of the following actions based on your requirements: - Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window. - Select Apply immediately to apply the changes right away. With this option, any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for the application. 7. Repeat steps 3 to 6 for each RDS instance available in the current region. 8. Change the AWS region from the navigation bar to repeat the process for other regions.  **From Command Line:**  1. Run `describe-db-instances` command to list all RDS database names identifiers, available in the selected AWS region: ``` aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run `modify-db-instance` command to modify the selected RDS instance configuration. Then use the following command to disable the `Publicly Accessible` flag for the selected RDS instances. This command use the apply-immediately flag. If you want `to avoid any downtime --no-apply-immediately flag can be used`: ``` aws rds modify-db-instance --region <region-name> --db-instance-identifier <db-name> --no-publicly-accessible --apply-immediately ``` 4. The command output should reveal the `PubliclyAccessible` configuration under pending values and should get applied at the specified time. 5. Updating the Internet Gateway Destination via AWS CLI is not currently supported To update information about Internet Gateway use the AWS Console Procedure. 6. Repeat steps 1 to 5 for each RDS instance provisioned in the current region. 7. Change the AWS region by using the --region filter to repeat the process for other regions.",
+          "AuditProcedure": "**From Console:**  1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. Under the navigation panel, On RDS Dashboard, click `Databases`. 3. Select the RDS instance that you want to examine. 4. Click `Instance Name` from the dashboard, Under `Connectivity and Security. 5. On the `Security`, check if the Publicly Accessible flag status is set to `Yes`, follow the below-mentioned steps to check database subnet access. - In the `networking` section, click the subnet link available under `Subnets` - The link will redirect you to the VPC Subnets page. - Select the subnet listed on the page and click the `Route Table` tab from the dashboard bottom panel. If the route table contains any entries with the destination `CIDR block set to 0.0.0.0/0` and with an `Internet Gateway` attached. - The selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and can be accessible from the Internet. 6. Repeat steps no. 4 and 5 to determine the type (public or private) and subnet for other RDS database instances provisioned in the current region. 8. Change the AWS region from the navigation bar and repeat the audit process for other regions.  **From Command Line:**  1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region: ``` aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance `identifier`. 3. Run again `describe-db-instances` command using the `PubliclyAccessible` parameter as query filter to reveal the database instance Publicly Accessible flag status: ``` aws rds describe-db-instances --region <region-name> --db-instance-identifier <db-instance-name> --query 'DBInstances[*].PubliclyAccessible' ``` 4. Check for the Publicly Accessible parameter status, If the Publicly Accessible flag is set to `Yes`. Then selected RDS database instance is publicly accessible and insecure, follow the below-mentioned steps to check database subnet access 5. Run again `describe-db-instances` command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC subnet(s) associated with the selected instance: ``` aws rds describe-db-instances --region <region-name> --db-instance-identifier <db-name> --query 'DBInstances[*].DBSubnetGroup.Subnets[]' ``` - The command output should list the subnets available in the selected database subnet group. 6. Run `describe-route-tables` command using the ID of the subnet returned at the previous step to describe the routes of the VPC route table associated with the selected subnet: ``` aws ec2 describe-route-tables --region <region-name> --filters \"Name=association.subnet-id,Values=<SubnetID>\" --query 'RouteTables[*].Routes[]' ``` - If the command returns the route table associated with database instance subnet ID. Check the `GatewayId` and `DestinationCidrBlock` attributes values returned in the output. If the route table contains any entries with the `GatewayId` value set to `igw-xxxxxxxx` and the `DestinationCidrBlock` value set to `0.0.0.0/0`, the selected RDS database instance was provisioned inside a public subnet. - Or - If the command returns empty results, the route table is implicitly associated with subnet, therefore the audit process continues with the next step 7. Run again `describe-db-instances` command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC ID associated with the selected instance: ``` aws rds describe-db-instances --region <region-name> --db-instance-identifier <db-name> --query 'DBInstances[*].DBSubnetGroup.VpcId' ``` - The command output should show the VPC ID in the selected database subnet group 8. Now run `describe-route-tables` command using the ID of the VPC returned at the previous step to describe the routes of the VPC main route table implicitly associated with the selected subnet: ``` aws ec2 describe-route-tables --region <region-name> --filters \"Name=vpc-id,Values=<VPC-ID>\" \"Name=association.main,Values=true\" --query 'RouteTables[*].Routes[]' ``` - The command output returns the VPC main route table implicitly associated with database instance subnet ID. Check the `GatewayId` and `DestinationCidrBlock` attributes values returned in the output. If the route table contains any entries with the `GatewayId` value set to `igw-xxxxxxxx` and the `DestinationCidrBlock` value set to `0.0.0.0/0`, the selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and does not adhere to AWS security best practices.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html:https://aws.amazon.com/rds/faqs/"
         }
@@ -650,8 +651,8 @@
           "Description": "EFS data should be encrypted at rest using AWS KMS (Key Management Service).",
           "RationaleStatement": "Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**It is important to note that EFS file system data at rest encryption must be turned on when creating the file system.**\n\nIf an EFS file system has been created without data at rest encryption enabled then you must create another EFS file system with the correct configuration and transfer the data.\n\n**Steps to create an EFS file system with data encrypted at rest:**\n\n**From Console:**\n1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS)` dashboard.\n2. Select `File Systems` from the left navigation panel.\n3. Click `Create File System` button from the dashboard top menu to start the file system setup process.\n4. On the `Configure file system access` configuration page, perform the following actions.\n- Choose the right VPC from the VPC dropdown list.\n- Within Create mount targets section, select the checkboxes for all of the Availability Zones (AZs) within the selected VPC. These will be your mount targets.\n- Click `Next step` to continue.\n\n5. Perform the following on the `Configure optional settings` page.\n- Create `tags` to describe your new file system.\n- Choose `performance mode` based on your requirements.\n- Check `Enable encryption` checkbox and choose `aws/elasticfilesystem` from Select KMS master key dropdown list to enable encryption for the new file system using the default master key provided and managed by AWS KMS.\n- Click `Next step` to continue.\n\n6. Review the file system configuration details on the `review and create` page and then click `Create File System` to create your new AWS EFS file system.\n7. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system.\n8. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed.\n9. Change the AWS region from the navigation bar and repeat the entire process for other aws regions.\n\n**From CLI:**\n1. Run describe-file-systems command to describe the configuration information available for the selected (unencrypted) file system (see Audit section to identify the right resource):\n```\naws efs describe-file-systems --region <region> --file-system-id <file-system-id from audit section step 2 output>\n```\n2. The command output should return the requested configuration information.\n3. To provision a new AWS EFS file system, you need to generate a universally unique identifier (UUID) in order to create the token required by the create-file-system command. To create the required token, you can use a randomly generated UUID from \"https://www.uuidgenerator.net\".\n4. Run create-file-system command using the unique token created at the previous step.\n```\naws efs create-file-system --region <region> --creation-token <Token (randomly generated UUID from step 3)> --performance-mode generalPurpose --encrypted\n```\n5. The command output should return the new file system configuration metadata.\n6. Run create-mount-target command using the newly created EFS file system ID returned at the previous step as identifier and the ID of the Availability Zone (AZ) that will represent the mount target:\n```\naws efs create-mount-target --region <region> --file-system-id <file-system-id> --subnet-id <subnet-id>\n```\n7. The command output should return the new mount target metadata.\n8. Now you can mount your file system from an EC2 instance.\n9. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system.\n10. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed.\n```\naws efs delete-file-system --region <region> --file-system-id <unencrypted-file-system-id>\n```\n11. Change the AWS region by updating the --region and repeat the entire process for other aws regions.",
-          "AuditProcedure": "**From Console:**\n1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS) dashboard.\n2. Select `File Systems` from the left navigation panel.\n3. Each item on the list has a visible Encrypted field that displays data at rest encryption status.\n4. Validate that this field reads `Encrypted` for all EFS file systems in all AWS regions.\n\n**From CLI:**\n1. Run describe-file-systems command using custom query filters to list the identifiers of all AWS EFS file systems currently available within the selected region:\n```\naws efs describe-file-systems --region <region> --output table --query 'FileSystems[*].FileSystemId'\n```\n2. The command output should return a table with the requested file system IDs.\n3. Run describe-file-systems command using the ID of the file system that you want to examine as identifier and the necessary query filters:\n```\naws efs describe-file-systems --region <region> --file-system-id <file-system-id from step 2 output> --query 'FileSystems[*].Encrypted'\n```\n4. The command output should return the file system encryption status true or false. If the returned value is `false`, the selected AWS EFS file system is not encrypted and if the returned value is `true`, the selected AWS EFS file system is encrypted.",
+          "RemediationProcedure": "**It is important to note that EFS file system data at rest encryption must be turned on when creating the file system.**  If an EFS file system has been created without data at rest encryption enabled then you must create another EFS file system with the correct configuration and transfer the data.  **Steps to create an EFS file system with data encrypted at rest:**  **From Console:** 1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS)` dashboard. 2. Select `File Systems` from the left navigation panel. 3. Click `Create File System` button from the dashboard top menu to start the file system setup process. 4. On the `Configure file system access` configuration page, perform the following actions. - Choose the right VPC from the VPC dropdown list. - Within Create mount targets section, select the checkboxes for all of the Availability Zones (AZs) within the selected VPC. These will be your mount targets. - Click `Next step` to continue.  5. Perform the following on the `Configure optional settings` page. - Create `tags` to describe your new file system. - Choose `performance mode` based on your requirements. - Check `Enable encryption` checkbox and choose `aws/elasticfilesystem` from Select KMS master key dropdown list to enable encryption for the new file system using the default master key provided and managed by AWS KMS. - Click `Next step` to continue.  6. Review the file system configuration details on the `review and create` page and then click `Create File System` to create your new AWS EFS file system. 7. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. 8. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. 9. Change the AWS region from the navigation bar and repeat the entire process for other aws regions.  **From CLI:** 1. Run describe-file-systems command to describe the configuration information available for the selected (unencrypted) file system (see Audit section to identify the right resource): ``` aws efs describe-file-systems --region <region> --file-system-id <file-system-id from audit section step 2 output> ``` 2. The command output should return the requested configuration information. 3. To provision a new AWS EFS file system, you need to generate a universally unique identifier (UUID) in order to create the token required by the create-file-system command. To create the required token, you can use a randomly generated UUID from \"https://www.uuidgenerator.net\". 4. Run create-file-system command using the unique token created at the previous step. ``` aws efs create-file-system --region <region> --creation-token <Token (randomly generated UUID from step 3)> --performance-mode generalPurpose --encrypted ``` 5. The command output should return the new file system configuration metadata. 6. Run create-mount-target command using the newly created EFS file system ID returned at the previous step as identifier and the ID of the Availability Zone (AZ) that will represent the mount target: ``` aws efs create-mount-target --region <region> --file-system-id <file-system-id> --subnet-id <subnet-id> ``` 7. The command output should return the new mount target metadata. 8. Now you can mount your file system from an EC2 instance. 9. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. 10. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. ``` aws efs delete-file-system --region <region> --file-system-id <unencrypted-file-system-id> ``` 11. Change the AWS region by updating the --region and repeat the entire process for other aws regions.",
+          "AuditProcedure": "**From Console:** 1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS) dashboard. 2. Select `File Systems` from the left navigation panel. 3. Each item on the list has a visible Encrypted field that displays data at rest encryption status. 4. Validate that this field reads `Encrypted` for all EFS file systems in all AWS regions.  **From CLI:** 1. Run describe-file-systems command using custom query filters to list the identifiers of all AWS EFS file systems currently available within the selected region: ``` aws efs describe-file-systems --region <region> --output table --query 'FileSystems[*].FileSystemId' ``` 2. The command output should return a table with the requested file system IDs. 3. Run describe-file-systems command using the ID of the file system that you want to examine as identifier and the necessary query filters: ``` aws efs describe-file-systems --region <region> --file-system-id <file-system-id from step 2 output> --query 'FileSystems[*].Encrypted' ``` 4. The command output should return the file system encryption status true or false. If the returned value is `false`, the selected AWS EFS file system is not encrypted and if the returned value is `true`, the selected AWS EFS file system is encrypted.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/efs/index.html#efs"
         }
@@ -669,10 +670,10 @@
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
           "Description": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).",
-          "RationaleStatement": "The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, \n\n- ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected\n\n- ensuring that a multi-regions trail exists will ensure that `Global Service Logging` is enabled for a trail by default to capture recording of events generated on \nAWS global services\n\n- for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account",
-          "ImpactStatement": "S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features:\n\n1. https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html",
-          "RemediationProcedure": "Perform the following to enable global (Multi-region) CloudTrail logging:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. Click on _Trails_ on the left navigation pane\n3. Click `Get Started Now` , if presented\n - Click `Add new trail` \n - Enter a trail name in the `Trail name` box\n - Set the `Apply trail to all regions` option to `Yes` \n - Specify an S3 bucket name in the `S3 bucket` box\n - Click `Create` \n4. If 1 or more trails already exist, select the target trail to enable for global logging\n5. Click the edit icon (pencil) next to `Apply trail to all regions` , Click `Yes` and Click `Save`.\n6. Click the edit icon (pencil) next to `Management Events` click `All` for setting `Read/Write Events` and Click `Save`.\n\n**From Command Line:**\n```\naws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail \naws cloudtrail update-trail --name <trail_name> --is-multi-region-trail\n```\n\nNote: Creating CloudTrail via CLI without providing any overriding options configures `Management Events` to set `All` type of `Read/Writes` by default.",
-          "AuditProcedure": "Perform the following to determine if CloudTrail is enabled for all regions:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. Click on `Trails` on the left navigation pane\n - You will be presented with a list of trails across all regions\n3. Ensure at least one Trail has `All` specified in the `Region` column\n4. Click on a trail via the link in the _Name_ column\n5. Ensure `Logging` is set to `ON` \n6. Ensure `Apply trail to all regions` is set to `Yes`\n7. In section `Management Events` ensure `Read/Write Events` set to `ALL`\n\n**From Command Line:**\n```\n aws cloudtrail describe-trails\n```\nEnsure `IsMultiRegionTrail` is set to `true` \n```\naws cloudtrail get-trail-status --name <trailname shown in describe-trails>\n```\nEnsure `IsLogging` is set to `true`\n```\naws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>\n```\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`",
+          "RationaleStatement": "The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally,   - ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected  - ensuring that a multi-regions trail exists will ensure that `Global Service Logging` is enabled for a trail by default to capture recording of events generated on  AWS global services  - for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account",
+          "ImpactStatement": "S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features:  1. https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html",
+          "RemediationProcedure": "Perform the following to enable global (Multi-region) CloudTrail logging:  **From Console:**  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on _Trails_ on the left navigation pane 3. Click `Get Started Now` , if presented  - Click `Add new trail`   - Enter a trail name in the `Trail name` box  - Set the `Apply trail to all regions` option to `Yes`   - Specify an S3 bucket name in the `S3 bucket` box  - Click `Create`  4. If 1 or more trails already exist, select the target trail to enable for global logging 5. Click the edit icon (pencil) next to `Apply trail to all regions` , Click `Yes` and Click `Save`. 6. Click the edit icon (pencil) next to `Management Events` click `All` for setting `Read/Write Events` and Click `Save`.  **From Command Line:** ``` aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail  aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail ```  Note: Creating CloudTrail via CLI without providing any overriding options configures `Management Events` to set `All` type of `Read/Writes` by default.",
+          "AuditProcedure": "Perform the following to determine if CloudTrail is enabled for all regions:  **From Console:**  1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane  - You will be presented with a list of trails across all regions 3. Ensure at least one Trail has `All` specified in the `Region` column 4. Click on a trail via the link in the _Name_ column 5. Ensure `Logging` is set to `ON`  6. Ensure `Apply trail to all regions` is set to `Yes` 7. In section `Management Events` ensure `Read/Write Events` set to `ALL`  **From Command Line:** ```  aws cloudtrail describe-trails ``` Ensure `IsMultiRegionTrail` is set to `true`  ``` aws cloudtrail get-trail-status --name <trailname shown in describe-trails> ``` Ensure `IsLogging` is set to `true` ``` aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails> ``` Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html#cloud-trail-supported-services-data-events"
         }
@@ -692,8 +693,8 @@
           "Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.",
           "RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/`\n5. Once the Cloudtrail is selected, check the `Write` event checkbox, so that `object-level` logging for Write events is enabled.\n6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.\n\n**From Command Line:**\n\n1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier:\n```\naws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ \"ReadWriteType\": \"WriteOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::<s3-bucket-name>/\"] }] }]'\n```\n2. The command output will be `object-level` event trail configuration.\n3. If you want to enable it for all buckets at once then change Values parameter to `[\"arn:aws:s3\"]` in command given above.\n4. Repeat step 1 for each s3 bucket to update `object-level` logging of write events.\n5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.",
-          "AuditProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to CloudTrail dashboard at `https://console.aws.amazon.com/cloudtrail/`\n2. In the left panel, click `Trails` and then click on the CloudTrail Name that you want to examine.\n3. Review `General details`\n4. Confirm that `Multi-region trail` is set to `Yes`\n5. Scroll down to `Data events`\n6. Confirm that it reads:\nData events: S3\nBucket Name: All current and future S3 buckets\nRead: Enabled\nWrite: Enabled\n7. Repeat steps 2 to 6 to verify that Multi-region trail and Data events logging of S3 buckets in CloudTrail.\nIf the CloudTrails do not have multi-region and data events configured for S3 refer to the remediation below.\n\n**From Command Line:**\n\n1. Run `list-trails` command to list the names of all Amazon CloudTrail trails currently available in all AWS regions:\n```\naws cloudtrail list-trails\n```\n2. The command output will be a list of all the trail names to include.\n\"TrailARN\": \"arn:aws:cloudtrail:<region>:<account#>:trail/<trailname>\",\n\"Name\": \"<trailname>\",\n\"HomeRegion\": \"<region>\"\n3. Next run 'get-trail- command to determine Multi-region.\n```\naws cloudtrail get-trail --name <trailname> --region <region_name>\n```\n4. The command output should include:\n\"IsMultiRegionTrail\": true,\n5. Next run `get-event-selectors` command using the `Name` of the trail and the `region` returned in step 2 to determine if Data events logging feature is enabled within the selected CloudTrail trail for all S3 buckets:\n```\naws cloudtrail get-event-selectors --region <HomeRegion> --trail-name <trailname> --query EventSelectors[*].DataResources[]\n```\n6. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector.\n\"Type\": \"AWS::S3::Object\",\n \"Values\": [\n \"arn:aws:s3\"\n7. If the `get-event-selectors` command returns an empty array '[]', the Data events are not included in the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded.\n8. Repeat steps 1 to 5 for auditing each CloudTrail to determine if Data events for S3 are covered.\nIf Multi-region is not set to true and the Data events does not show S3 defined as shown refer to the remediation procedure below.",
+          "RemediationProcedure": "**From Console:**  1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the `Write` event checkbox, so that `object-level` logging for Write events is enabled. 6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.  **From Command Line:**  1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ \"ReadWriteType\": \"WriteOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::<s3-bucket-name>/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at once then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of write events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.",
+          "AuditProcedure": "**From Console:**  1. Login to the AWS Management Console and navigate to CloudTrail dashboard at `https://console.aws.amazon.com/cloudtrail/` 2. In the left panel, click `Trails` and then click on the CloudTrail Name that you want to examine. 3. Review `General details` 4. Confirm that `Multi-region trail` is set to `Yes` 5. Scroll down to `Data events` 6. Confirm that it reads: Data events: S3 Bucket Name: All current and future S3 buckets Read: Enabled Write: Enabled 7. Repeat steps 2 to 6 to verify that Multi-region trail and Data events logging of S3 buckets in CloudTrail. If the CloudTrails do not have multi-region and data events configured for S3 refer to the remediation below.  **From Command Line:**  1. Run `list-trails` command to list the names of all Amazon CloudTrail trails currently available in all AWS regions: ``` aws cloudtrail list-trails ``` 2. The command output will be a list of all the trail names to include. \"TrailARN\": \"arn:aws:cloudtrail:<region>:<account#>:trail/<trailname>\", \"Name\": \"<trailname>\", \"HomeRegion\": \"<region>\" 3. Next run 'get-trail- command to determine Multi-region. ``` aws cloudtrail get-trail --name <trailname> --region <region_name> ``` 4. The command output should include: \"IsMultiRegionTrail\": true, 5. Next run `get-event-selectors` command using the `Name` of the trail and the `region` returned in step 2 to determine if Data events logging feature is enabled within the selected CloudTrail trail for all S3 buckets: ``` aws cloudtrail get-event-selectors --region <HomeRegion> --trail-name <trailname> --query EventSelectors[*].DataResources[] ``` 6. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. \"Type\": \"AWS::S3::Object\",  \"Values\": [  \"arn:aws:s3\" 7. If the `get-event-selectors` command returns an empty array '[]', the Data events are not included in the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 8. Repeat steps 1 to 5 for auditing each CloudTrail to determine if Data events for S3 are covered. If Multi-region is not set to true and the Data events does not show S3 defined as shown refer to the remediation procedure below.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html"
         }
@@ -713,8 +714,8 @@
           "Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.",
           "RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/`\n5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled.\n6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.\n\n**From Command Line:**\n1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier:\n```\naws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::<s3-bucket-name>/\"] }] }]'\n```\n2. The command output will be `object-level` event trail configuration.\n3. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above.\n4. Repeat step 1 for each s3 bucket to update `object-level` logging of read events.\n5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.",
-          "AuditProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. If the current status for `Object-level` logging is set to `Disabled`, then object-level logging of read events for the selected s3 bucket is not set.\n5. If the current status for `Object-level` logging is set to `Enabled`, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set.\n6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events of your other S3 buckets.\n\n**From Command Line:**\n1. Run `describe-trails` command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region:\n```\naws cloudtrail describe-trails --region <region-name> --output table --query trailList[*].Name\n```\n2. The command output will be table of the requested trail names.\n3. Run `get-event-selectors` command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources:\n```\naws cloudtrail get-event-selectors --region <region-name> --trail-name <trail-name> --query EventSelectors[*].DataResources[]\n```\n4. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector.\n5. If the `get-event-selectors` command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded.\n6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events.\n7. Change the AWS region by updating the `--region` command parameter and perform the audit process for other regions.",
+          "RemediationProcedure": "**From Console:**  1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled. 6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.  **From Command Line:** 1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::<s3-bucket-name>/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of read events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.",
+          "AuditProcedure": "**From Console:**  1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. If the current status for `Object-level` logging is set to `Disabled`, then object-level logging of read events for the selected s3 bucket is not set. 5. If the current status for `Object-level` logging is set to `Enabled`, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set. 6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events of your other S3 buckets.  **From Command Line:** 1. Run `describe-trails` command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region: ``` aws cloudtrail describe-trails --region <region-name> --output table --query trailList[*].Name ``` 2. The command output will be table of the requested trail names. 3. Run `get-event-selectors` command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources: ``` aws cloudtrail get-event-selectors --region <region-name> --trail-name <trail-name> --query EventSelectors[*].DataResources[] ``` 4. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. 5. If the `get-event-selectors` command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events. 7. Change the AWS region by updating the `--region` command parameter and perform the audit process for other regions.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html"
         }
@@ -734,8 +735,8 @@
           "Description": "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.",
           "RationaleStatement": "Enabling log file validation will provide additional integrity checking of CloudTrail logs.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to enable log file validation on a given trail:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. Click on `Trails` on the left navigation pane\n3. Click on target trail\n4. Within the `General details` section click `edit`\n5. Under the `Advanced settings` section\n6. Check the enable box under `Log file validation` \n7. Click `Save changes` \n\n**From Command Line:**\n```\naws cloudtrail update-trail --name <trail_name> --enable-log-file-validation\n```\nNote that periodic validation of logs using these digests can be performed by running the following command:\n```\naws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>\n```",
-          "AuditProcedure": "Perform the following on each trail to determine if log file validation is enabled:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. Click on `Trails` on the left navigation pane\n3. For Every Trail:\n- Click on a trail via the link in the _Name_ column\n- Under the `General details` section, ensure `Log file validation` is set to `Enabled` \n\n**From Command Line:**\n```\naws cloudtrail describe-trails\n```\nEnsure `LogFileValidationEnabled` is set to `true` for each trail",
+          "RemediationProcedure": "Perform the following to enable log file validation on a given trail:  **From Console:**  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. Click on target trail 4. Within the `General details` section click `edit` 5. Under the `Advanced settings` section 6. Check the enable box under `Log file validation`  7. Click `Save changes`   **From Command Line:** ``` aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation ``` Note that periodic validation of logs using these digests can be performed by running the following command: ``` aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time> ```",
+          "AuditProcedure": "Perform the following on each trail to determine if log file validation is enabled:  **From Console:**  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. For Every Trail: - Click on a trail via the link in the _Name_ column - Under the `General details` section, ensure `Log file validation` is set to `Enabled`   **From Command Line:** ``` aws cloudtrail describe-trails ``` Ensure `LogFileValidationEnabled` is set to `true` for each trail",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html"
         }
@@ -755,8 +756,8 @@
           "Description": "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.",
           "RationaleStatement": "Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:\n\n1. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home)\n2. Right-click on the bucket and click Properties\n3. In the `Properties` pane, click the `Permissions` tab.\n4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.\n5. Select the row that grants permission to `Everyone` or `Any Authenticated User` \n6. Uncheck all the permissions granted to `Everyone` or `Any Authenticated User` (click `x` to delete the row).\n7. Click `Save` to save the ACL.\n8. If the `Edit bucket policy` button is present, click it.\n9. Remove any `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}.",
-          "AuditProcedure": "Perform the following to determine if any public access is granted to an S3 bucket via an ACL or S3 bucket policy:\n\n**From Console:**\n\n1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home)\n2. In the `API activity history` pane on the left, click `Trails` \n3. In the `Trails` pane, note the bucket names in the `S3 bucket` column\n4. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home)\n5. For each bucket noted in step 3, right-click on the bucket and click `Properties` \n6. In the `Properties` pane, click the `Permissions` tab.\n7. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.\n8. Ensure no rows exists that have the `Grantee` set to `Everyone` or the `Grantee` set to `Any Authenticated User.` \n9. If the `Edit bucket policy` button is present, click it to review the bucket policy.\n10. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}\n\n**From Command Line:**\n\n1. Get the name of the S3 bucket that CloudTrail is logging to:\n```\n aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'\n```\n2. Ensure the `AllUsers` principal is not granted privileges to that `<bucket>` :\n```\n aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/AllUsers` ]'\n```\n3. Ensure the `AuthenticatedUsers` principal is not granted privileges to that `<bucket>`:\n```\n aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/Authenticated Users` ]'\n```\n4. Get the S3 Bucket Policy\n```\n aws s3api get-bucket-policy --bucket <s3_bucket_for_cloudtrail> \n```\n5. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}\n\n**Note:** Principal set to \"\\*\" or {\"AWS\" : \"\\*\"} allows anonymous access.",
+          "RemediationProcedure": "Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:  1. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 2. Right-click on the bucket and click Properties 3. In the `Properties` pane, click the `Permissions` tab. 4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 5. Select the row that grants permission to `Everyone` or `Any Authenticated User`  6. Uncheck all the permissions granted to `Everyone` or `Any Authenticated User` (click `x` to delete the row). 7. Click `Save` to save the ACL. 8. If the `Edit bucket policy` button is present, click it. 9. Remove any `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}.",
+          "AuditProcedure": "Perform the following to determine if any public access is granted to an S3 bucket via an ACL or S3 bucket policy:  **From Console:**  1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the `API activity history` pane on the left, click `Trails`  3. In the `Trails` pane, note the bucket names in the `S3 bucket` column 4. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 5. For each bucket noted in step 3, right-click on the bucket and click `Properties`  6. In the `Properties` pane, click the `Permissions` tab. 7. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 8. Ensure no rows exists that have the `Grantee` set to `Everyone` or the `Grantee` set to `Any Authenticated User.`  9. If the `Edit bucket policy` button is present, click it to review the bucket policy. 10. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}  **From Command Line:**  1. Get the name of the S3 bucket that CloudTrail is logging to: ```  aws cloudtrail describe-trails --query 'trailList[*].S3BucketName' ``` 2. Ensure the `AllUsers` principal is not granted privileges to that `<bucket>` : ```  aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/AllUsers` ]' ``` 3. Ensure the `AuthenticatedUsers` principal is not granted privileges to that `<bucket>`: ```  aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/Authenticated Users` ]' ``` 4. Get the S3 Bucket Policy ```  aws s3api get-bucket-policy --bucket <s3_bucket_for_cloudtrail>  ``` 5. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}  **Note:** Principal set to \"\\*\" or {\"AWS\" : \"\\*\"} allows anonymous access.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html"
         }
@@ -773,11 +774,11 @@
           "Section": "3. Logging",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.\n\nNote: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution.",
+          "Description": "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.  Note: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution.",
           "RationaleStatement": "Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.",
-          "ImpactStatement": "Note: By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:\n\n1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html",
-          "RemediationProcedure": "Perform the following to establish the prescribed state:\n\n**From Console:**\n\n1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/`\n2. Select the `Trail` the needs to be updated.\n3. Scroll down to `CloudWatch Logs`\n4. Click `Edit`\n5. Under `CloudWatch Logs` click the box `Enabled`\n6. Under `Log Group` pick new or select an existing log group\n7. Edit the `Log group name` to match the CloudTrail or pick the existing CloudWatch Group.\n8. Under `IAM Role` pick new or select an existing.\n9. Edit the `Role name` to match the CloudTrail or pick the existing IAM Role.\n10. Click `Save changes.\n\n**From Command Line:**\n```\naws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-group-arn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure CloudTrail is configured as prescribed:\n\n**From Console:**\n\n1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/`\n2. Under `Trails` , click on the CloudTrail you wish to evaluate\n3. Under the `CloudWatch Logs` section.\n4. Ensure a `CloudWatch Logs` log group is configured and listed.\n5. Under `General details` confirm `Last log file delivered` has a recent (~one day old) timestamp.\n\n**From Command Line:**\n\n1. Run the following command to get a listing of existing trails:\n```\n aws cloudtrail describe-trails\n```\n2. Ensure `CloudWatchLogsLogGroupArn` is not empty and note the value of the `Name` property.\n3. Using the noted value of the `Name` property, run the following command:\n```\n aws cloudtrail get-trail-status --name <trail_name>\n```\n4. Ensure the `LatestcloudwatchLogdDeliveryTime` property is set to a recent (~one day old) timestamp.\n\nIf the `CloudWatch Logs` log group is not setup and the delivery time is not recent refer to the remediation below.",
+          "ImpactStatement": "Note: By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:  1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html",
+          "RemediationProcedure": "Perform the following to establish the prescribed state:  **From Console:**  1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Select the `Trail` the needs to be updated. 3. Scroll down to `CloudWatch Logs` 4. Click `Edit` 5. Under `CloudWatch Logs` click the box `Enabled` 6. Under `Log Group` pick new or select an existing log group 7. Edit the `Log group name` to match the CloudTrail or pick the existing CloudWatch Group. 8. Under `IAM Role` pick new or select an existing. 9. Edit the `Role name` to match the CloudTrail or pick the existing IAM Role. 10. Click `Save changes.  **From Command Line:** ``` aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-group-arn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn> ```",
+          "AuditProcedure": "Perform the following to ensure CloudTrail is configured as prescribed:  **From Console:**  1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Under `Trails` , click on the CloudTrail you wish to evaluate 3. Under the `CloudWatch Logs` section. 4. Ensure a `CloudWatch Logs` log group is configured and listed. 5. Under `General details` confirm `Last log file delivered` has a recent (~one day old) timestamp.  **From Command Line:**  1. Run the following command to get a listing of existing trails: ```  aws cloudtrail describe-trails ``` 2. Ensure `CloudWatchLogsLogGroupArn` is not empty and note the value of the `Name` property. 3. Using the noted value of the `Name` property, run the following command: ```  aws cloudtrail get-trail-status --name <trail_name> ``` 4. Ensure the `LatestcloudwatchLogdDeliveryTime` property is set to a recent (~one day old) timestamp.  If the `CloudWatch Logs` log group is not setup and the delivery time is not recent refer to the remediation below.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html"
         }
@@ -797,8 +798,8 @@
           "Description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.",
           "RationaleStatement": "The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.",
           "ImpactStatement": "It is recommended AWS Config be enabled in all regions.",
-          "RemediationProcedure": "To implement AWS Config configuration:\n\n**From Console:**\n\n1. Select the region you want to focus on in the top right of the console\n2. Click `Services` \n3. Click `Config` \n4. Define which resources you want to record in the selected region\n5. Choose to include global resources (IAM resources)\n6. Specify an S3 bucket in the same account or in another managed AWS account\n7. Create an SNS Topic from the same AWS account or another managed AWS account\n\n**From Command Line:**\n\n1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html).\n2. Run this command to set up the configuration recorder\n```\naws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole\n```\n3. Run this command to start the configuration recorder:\n```\nstart-configuration-recorder --configuration-recorder-name <value>\n```",
-          "AuditProcedure": "Process to evaluate AWS Config configuration per region\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/).\n2. On the top right of the console select target Region.\n3. If presented with Setup AWS Config - follow remediation procedure:\n4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears.\n5. Ensure 1 or both check-boxes under \"All Resources\" is checked.\n - Include global resources related to IAM resources - which needs to be enabled in 1 region only\n6. Ensure the correct S3 bucket has been defined.\n7. Ensure the correct SNS topic has been defined.\n8. Repeat steps 2 to 7 for each region.\n\n**From Command Line:**\n\n1. Run this command to show all AWS Config recorders and their properties:\n```\naws configservice describe-configuration-recorders\n```\n2. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`\n\nNote: There is one more parameter \"ResourceTypes\" in recordingGroup object. We don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])\n\nSample Output:\n\n```\n{\n \"ConfigurationRecorders\": [\n {\n \"recordingGroup\": {\n \"allSupported\": true,\n \"resourceTypes\": [],\n \"includeGlobalResourceTypes\": true\n },\n \"roleARN\": \"arn:aws:iam::<AWS_Account_ID>:role/service-role/<config-role-name>\",\n \"name\": \"default\"\n }\n ]\n}\n```\n\n3. Run this command to show the status for all AWS Config recorders:\n```\naws configservice describe-configuration-recorder-status\n```\n4. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`",
+          "RemediationProcedure": "To implement AWS Config configuration:  **From Console:**  1. Select the region you want to focus on in the top right of the console 2. Click `Services`  3. Click `Config`  4. Define which resources you want to record in the selected region 5. Choose to include global resources (IAM resources) 6. Specify an S3 bucket in the same account or in another managed AWS account 7. Create an SNS Topic from the same AWS account or another managed AWS account  **From Command Line:**  1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html). 2. Run this command to set up the configuration recorder ``` aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole ``` 3. Run this command to start the configuration recorder: ``` start-configuration-recorder --configuration-recorder-name <value> ```",
+          "AuditProcedure": "Process to evaluate AWS Config configuration per region  **From Console:**  1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/). 2. On the top right of the console select target Region. 3. If presented with Setup AWS Config - follow remediation procedure: 4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears. 5. Ensure 1 or both check-boxes under \"All Resources\" is checked.  - Include global resources related to IAM resources - which needs to be enabled in 1 region only 6. Ensure the correct S3 bucket has been defined. 7. Ensure the correct SNS topic has been defined. 8. Repeat steps 2 to 7 for each region.  **From Command Line:**  1. Run this command to show all AWS Config recorders and their properties: ``` aws configservice describe-configuration-recorders ``` 2. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`  Note: There is one more parameter \"ResourceTypes\" in recordingGroup object. We don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])  Sample Output:  ``` {  \"ConfigurationRecorders\": [  {  \"recordingGroup\": {  \"allSupported\": true,  \"resourceTypes\": [],  \"includeGlobalResourceTypes\": true  },  \"roleARN\": \"arn:aws:iam::<AWS_Account_ID>:role/service-role/<config-role-name>\",  \"name\": \"default\"  }  ] } ```  3. Run this command to show the status for all AWS Config recorders: ``` aws configservice describe-configuration-recorder-status ``` 4. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html"
         }
@@ -818,8 +819,8 @@
           "Description": "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.",
           "RationaleStatement": "By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to enable S3 bucket logging:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3).\n2. Under `All Buckets` click on the target S3 bucket\n3. Click on `Properties` in the top right of the console\n4. Under `Bucket:` <s3\\_bucket\\_for\\_cloudtrail> click on `Logging` \n5. Configure bucket logging\n - Click on the `Enabled` checkbox\n - Select Target Bucket from list\n - Enter a Target Prefix\n6. Click `Save`.\n\n**From Command Line:**\n\n1. Get the name of the S3 bucket that CloudTrail is logging to:\n```\naws cloudtrail describe-trails --region <region-name> --query trailList[*].S3BucketName\n```\n2. Copy and add target bucket name at `<Logging_BucketName>`, Prefix for logfile at `<LogFilePrefix>` and optionally add an email address in the following template and save it as `<FileName.Json>`:\n```\n{\n \"LoggingEnabled\": {\n \"TargetBucket\": \"<Logging_BucketName>\",\n \"TargetPrefix\": \"<LogFilePrefix>\",\n \"TargetGrants\": [\n {\n \"Grantee\": {\n \"Type\": \"AmazonCustomerByEmail\",\n \"EmailAddress\": \"<EmailID>\"\n },\n \"Permission\": \"FULL_CONTROL\"\n }\n ]\n } \n}\n```\n3. Run the `put-bucket-logging` command with bucket name and `<FileName.Json>` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html):\n```\naws s3api put-bucket-logging --bucket <BucketName> --bucket-logging-status file://<FileName.Json>\n```",
-          "AuditProcedure": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:\n\n**From Console:**\n\n1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home)\n2. In the API activity history pane on the left, click Trails\n3. In the Trails pane, note the bucket names in the S3 bucket column\n4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3).\n5. Under `All Buckets` click on a target S3 bucket\n6. Click on `Properties` in the top right of the console\n7. Under `Bucket:` _ `<bucket_name>` _ click on `Logging` \n8. Ensure `Enabled` is checked.\n\n**From Command Line:**\n\n1. Get the name of the S3 bucket that CloudTrail is logging to:\n``` \naws cloudtrail describe-trails --query 'trailList[*].S3BucketName' \n```\n2. Ensure Bucket Logging is enabled:\n```\naws s3api get-bucket-logging --bucket <s3_bucket_for_cloudtrail>\n```\nEnsure command does not returns empty output.\n\nSample Output for a bucket with logging enabled:\n\n```\n{\n \"LoggingEnabled\": {\n \"TargetPrefix\": \"<Prefix_Test>\",\n \"TargetBucket\": \"<Bucket_name_for_Storing_Logs>\"\n }\n}\n```",
+          "RemediationProcedure": "Perform the following to enable S3 bucket logging:  **From Console:**  1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 2. Under `All Buckets` click on the target S3 bucket 3. Click on `Properties` in the top right of the console 4. Under `Bucket:` <s3\\_bucket\\_for\\_cloudtrail> click on `Logging`  5. Configure bucket logging  - Click on the `Enabled` checkbox  - Select Target Bucket from list  - Enter a Target Prefix 6. Click `Save`.  **From Command Line:**  1. Get the name of the S3 bucket that CloudTrail is logging to: ``` aws cloudtrail describe-trails --region <region-name> --query trailList[*].S3BucketName ``` 2. Copy and add target bucket name at `<Logging_BucketName>`, Prefix for logfile at `<LogFilePrefix>` and optionally add an email address in the following template and save it as `<FileName.Json>`: ``` {  \"LoggingEnabled\": {  \"TargetBucket\": \"<Logging_BucketName>\",  \"TargetPrefix\": \"<LogFilePrefix>\",  \"TargetGrants\": [  {  \"Grantee\": {  \"Type\": \"AmazonCustomerByEmail\",  \"EmailAddress\": \"<EmailID>\"  },  \"Permission\": \"FULL_CONTROL\"  }  ]  }  } ``` 3. Run the `put-bucket-logging` command with bucket name and `<FileName.Json>` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html): ``` aws s3api put-bucket-logging --bucket <BucketName> --bucket-logging-status file://<FileName.Json> ```",
+          "AuditProcedure": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:  **From Console:**  1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the API activity history pane on the left, click Trails 3. In the Trails pane, note the bucket names in the S3 bucket column 4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 5. Under `All Buckets` click on a target S3 bucket 6. Click on `Properties` in the top right of the console 7. Under `Bucket:` _ `<bucket_name>` _ click on `Logging`  8. Ensure `Enabled` is checked.  **From Command Line:**  1. Get the name of the S3 bucket that CloudTrail is logging to: ```  aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'  ``` 2. Ensure Bucket Logging is enabled: ``` aws s3api get-bucket-logging --bucket <s3_bucket_for_cloudtrail> ``` Ensure command does not returns empty output.  Sample Output for a bucket with logging enabled:  ``` {  \"LoggingEnabled\": {  \"TargetPrefix\": \"<Prefix_Test>\",  \"TargetBucket\": \"<Bucket_name_for_Storing_Logs>\"  } } ```",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html"
         }
@@ -839,9 +840,9 @@
           "Description": "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.",
           "RationaleStatement": "Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.",
           "ImpactStatement": "Customer created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information.",
-          "RemediationProcedure": "Perform the following to configure CloudTrail to use SSE-KMS:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. In the left navigation pane, choose `Trails` .\n3. Click on a Trail\n4. Under the `S3` section click on the edit button (pencil icon)\n5. Click `Advanced` \n6. Select an existing CMK from the `KMS key Id` drop-down menu\n - Note: Ensure the CMK is located in the same region as the S3 bucket\n - Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided [here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html) for editing the selected CMK Key policy\n7. Click `Save` \n8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files.\n9. Click `Yes` \n\n**From Command Line:**\n```\naws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key>\naws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy>\n```",
-          "AuditProcedure": "Perform the following to determine if CloudTrail is configured to use SSE-KMS:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. In the left navigation pane, choose `Trails` .\n3. Select a Trail\n4. Under the `S3` section, ensure `Encrypt log files` is set to `Yes` and a KMS key ID is specified in the `KSM Key Id` field.\n\n**From Command Line:**\n\n1. Run the following command:\n```\n aws cloudtrail describe-trails \n```\n2. For each trail listed, SSE-KMS is enabled if the trail has a `KmsKeyId` property defined.",
-          "AdditionalInformation": "3 statements which need to be added to the CMK policy:\n\n1\\. Enable Cloudtrail to describe CMK properties\n```\n<pre class=\"programlisting\" style=\"font-style: normal;\">{\n \"Sid\": \"Allow CloudTrail access\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n },\n \"Action\": \"kms:DescribeKey\",\n \"Resource\": \"*\"\n}\n```\n2\\. Granting encrypt permissions\n```\n<pre class=\"programlisting\" style=\"font-style: normal;\">{\n \"Sid\": \"Allow CloudTrail to encrypt logs\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n },\n \"Action\": \"kms:GenerateDataKey*\",\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"kms:EncryptionContext:aws:cloudtrail:arn\": [\n \"arn:aws:cloudtrail:*:aws-account-id:trail/*\"\n ]\n }\n }\n}\n```\n3\\. Granting decrypt permissions\n```\n<pre class=\"programlisting\" style=\"font-style: normal;\">{\n \"Sid\": \"Enable CloudTrail log decrypt permissions\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::aws-account-id:user/username\"\n },\n \"Action\": \"kms:Decrypt\",\n \"Resource\": \"*\",\n \"Condition\": {\n \"Null\": {\n \"kms:EncryptionContext:aws:cloudtrail:arn\": \"false\"\n }\n }\n}\n```",
+          "RemediationProcedure": "Perform the following to configure CloudTrail to use SSE-KMS:  **From Console:**  1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Click on a Trail 4. Under the `S3` section click on the edit button (pencil icon) 5. Click `Advanced`  6. Select an existing CMK from the `KMS key Id` drop-down menu  - Note: Ensure the CMK is located in the same region as the S3 bucket  - Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided [here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html) for editing the selected CMK Key policy 7. Click `Save`  8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files. 9. Click `Yes`   **From Command Line:** ``` aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key> aws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy> ```",
+          "AuditProcedure": "Perform the following to determine if CloudTrail is configured to use SSE-KMS:  **From Console:**  1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Select a Trail 4. Under the `S3` section, ensure `Encrypt log files` is set to `Yes` and a KMS key ID is specified in the `KSM Key Id` field.  **From Command Line:**  1. Run the following command: ```  aws cloudtrail describe-trails  ``` 2. For each trail listed, SSE-KMS is enabled if the trail has a `KmsKeyId` property defined.",
+          "AdditionalInformation": "3 statements which need to be added to the CMK policy:  1\\. Enable Cloudtrail to describe CMK properties ``` <pre class=\"programlisting\" style=\"font-style: normal;\">{  \"Sid\": \"Allow CloudTrail access\",  \"Effect\": \"Allow\",  \"Principal\": {  \"Service\": \"cloudtrail.amazonaws.com\"  },  \"Action\": \"kms:DescribeKey\",  \"Resource\": \"*\" } ``` 2\\. Granting encrypt permissions ``` <pre class=\"programlisting\" style=\"font-style: normal;\">{  \"Sid\": \"Allow CloudTrail to encrypt logs\",  \"Effect\": \"Allow\",  \"Principal\": {  \"Service\": \"cloudtrail.amazonaws.com\"  },  \"Action\": \"kms:GenerateDataKey*\",  \"Resource\": \"*\",  \"Condition\": {  \"StringLike\": {  \"kms:EncryptionContext:aws:cloudtrail:arn\": [  \"arn:aws:cloudtrail:*:aws-account-id:trail/*\"  ]  }  } } ``` 3\\. Granting decrypt permissions ``` <pre class=\"programlisting\" style=\"font-style: normal;\">{  \"Sid\": \"Enable CloudTrail log decrypt permissions\",  \"Effect\": \"Allow\",  \"Principal\": {  \"AWS\": \"arn:aws:iam::aws-account-id:user/username\"  },  \"Action\": \"kms:Decrypt\",  \"Resource\": \"*\",  \"Condition\": {  \"Null\": {  \"kms:EncryptionContext:aws:cloudtrail:arn\": \"false\"  }  } } ```",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html:https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html"
         }
       ]
@@ -858,10 +859,10 @@
           "Profile": "Level 2",
           "AssessmentStatus": "Automated",
           "Description": "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.",
-          "RationaleStatement": "Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\nKeys should be rotated every year, or upon event that would result in the compromise of that key.",
+          "RationaleStatement": "Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. Keys should be rotated every year, or upon event that would result in the compromise of that key.",
           "ImpactStatement": "Creation, management, and storage of CMKs may require additional time from and administrator.",
-          "RemediationProcedure": "**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam).\n2. In the left navigation pane, choose `Customer managed keys` .\n3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT`\n4. Underneath the \"General configuration\" panel open the tab \"Key rotation\"\n5. Check the \"Automatically rotate this KMS key every year.\" checkbox\n\n**From Command Line:**\n\n1. Run the following command to enable key rotation:\n```\n aws kms enable-key-rotation --key-id <kms_key_id>\n```",
-          "AuditProcedure": "**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam).\n2. In the left navigation pane, choose `Customer managed keys`\n3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT`\n4. Underneath the `General configuration` panel open the tab `Key rotation`\n5. Ensure that the checkbox `Automatically rotate this KMS key every year.` is activated\n6. Repeat steps 3 - 5 for all customer managed CMKs where \"Key spec = SYMMETRIC_DEFAULT\"\n\n**From Command Line:**\n\n1. Run the following command to get a list of all keys and their associated `KeyIds` \n```\n aws kms list-keys\n```\n2. For each key, note the KeyId and run the following command\n```\ndescribe-key --key-id <kms_key_id>\n```\n3. If the response contains \"KeySpec = SYMMETRIC_DEFAULT\" run the following command\n```\n aws kms get-key-rotation-status --key-id <kms_key_id>\n```\n4. Ensure `KeyRotationEnabled` is set to `true`\n5. Repeat steps 2 - 4 for all remaining CMKs",
+          "RemediationProcedure": "**From Console:**  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` . 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the \"General configuration\" panel open the tab \"Key rotation\" 5. Check the \"Automatically rotate this KMS key every year.\" checkbox  **From Command Line:**  1. Run the following command to enable key rotation: ```  aws kms enable-key-rotation --key-id <kms_key_id> ```",
+          "AuditProcedure": "**From Console:**  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the `General configuration` panel open the tab `Key rotation` 5. Ensure that the checkbox `Automatically rotate this KMS key every year.` is activated 6. Repeat steps 3 - 5 for all customer managed CMKs where \"Key spec = SYMMETRIC_DEFAULT\"  **From Command Line:**  1. Run the following command to get a list of all keys and their associated `KeyIds`  ```  aws kms list-keys ``` 2. For each key, note the KeyId and run the following command ``` describe-key --key-id <kms_key_id> ``` 3. If the response contains \"KeySpec = SYMMETRIC_DEFAULT\" run the following command ```  aws kms get-key-rotation-status --key-id <kms_key_id> ``` 4. Ensure `KeyRotationEnabled` is set to `true` 5. Repeat steps 2 - 4 for all remaining CMKs",
           "AdditionalInformation": "",
           "References": "https://aws.amazon.com/kms/pricing/:https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final"
         }
@@ -880,9 +881,9 @@
           "AssessmentStatus": "Automated",
           "Description": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.",
           "RationaleStatement": "VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.",
-          "ImpactStatement": "By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:\n\n1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html",
-          "RemediationProcedure": "Perform the following to determine if VPC Flow logs is enabled:\n\n**From Console:**\n\n1. Sign into the management console\n2. Select `Services` then `VPC` \n3. In the left navigation pane, select `Your VPCs` \n4. Select a VPC\n5. In the right pane, select the `Flow Logs` tab.\n6. If no Flow Log exists, click `Create Flow Log` \n7. For Filter, select `Reject`\n8. Enter in a `Role` and `Destination Log Group` \n9. Click `Create Log Flow` \n10. Click on `CloudWatch Logs Group` \n\n**Note:** Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.\n\n**From Command Line:**\n\n1. Create a policy document and name it as `role_policy_document.json` and paste the following content:\n```\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"test\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n}\n```\n2. Create another policy document and name it as `iam_policy.json` and paste the following content:\n```\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\":[\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:DescribeLogGroups\",\n \"logs:DescribeLogStreams\",\n \"logs:PutLogEvents\",\n \"logs:GetLogEvents\",\n \"logs:FilterLogEvents\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}\n```\n3. Run the below command to create an IAM role:\n```\naws iam create-role --role-name <aws_support_iam_role> --assume-role-policy-document file://<file-path>role_policy_document.json \n```\n4. Run the below command to create an IAM policy:\n```\naws iam create-policy --policy-name <ami-policy-name> --policy-document file://<file-path>iam-policy.json\n```\n5. Run `attach-group-policy` command using the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the command succeeds, no output is returned):\n```\naws iam attach-group-policy --policy-arn arn:aws:iam::<aws-account-id>:policy/<iam-policy-name> --group-name <group-name>\n```\n6. Run `describe-vpcs` to get the VpcId available in the selected region:\n```\naws ec2 describe-vpcs --region <region>\n```\n7. The command output should return the VPC Id available in the selected region.\n8. Run `create-flow-logs` to create a flow log for the vpc:\n```\naws ec2 create-flow-logs --resource-type VPC --resource-ids <vpc-id> --traffic-type REJECT --log-group-name <log-group-name> --deliver-logs-permission-arn <iam-role-arn>\n```\n9. Repeat step 8 for other vpcs available in the selected region.\n10. Change the region by updating --region and repeat remediation procedure for other vpcs.",
-          "AuditProcedure": "Perform the following to determine if VPC Flow logs are enabled:\n\n**From Console:**\n\n1. Sign into the management console\n2. Select `Services` then `VPC` \n3. In the left navigation pane, select `Your VPCs` \n4. Select a VPC\n5. In the right pane, select the `Flow Logs` tab.\n6. Ensure a Log Flow exists that has `Active` in the `Status` column.\n\n**From Command Line:**\n\n1. Run `describe-vpcs` command (OSX/Linux/UNIX) to list the VPC networks available in the current AWS region:\n```\naws ec2 describe-vpcs --region <region> --query Vpcs[].VpcId\n```\n2. The command output returns the `VpcId` available in the selected region.\n3. Run `describe-flow-logs` command (OSX/Linux/UNIX) using the VPC ID to determine if the selected virtual network has the Flow Logs feature enabled:\n```\naws ec2 describe-flow-logs --filter \"Name=resource-id,Values=<vpc-id>\"\n```\n4. If there are no Flow Logs created for the selected VPC, the command output will return an `empty list []`.\n5. Repeat step 3 for other VPCs available in the same region.\n6. Change the region by updating `--region` and repeat steps 1 - 5 for all the VPCs.",
+          "ImpactStatement": "By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:  1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html",
+          "RemediationProcedure": "Perform the following to determine if VPC Flow logs is enabled:  **From Console:**  1. Sign into the management console 2. Select `Services` then `VPC`  3. In the left navigation pane, select `Your VPCs`  4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. If no Flow Log exists, click `Create Flow Log`  7. For Filter, select `Reject` 8. Enter in a `Role` and `Destination Log Group`  9. Click `Create Log Flow`  10. Click on `CloudWatch Logs Group`   **Note:** Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.  **From Command Line:**  1. Create a policy document and name it as `role_policy_document.json` and paste the following content: ``` {  \"Version\": \"2012-10-17\",  \"Statement\": [  {  \"Sid\": \"test\",  \"Effect\": \"Allow\",  \"Principal\": {  \"Service\": \"ec2.amazonaws.com\"  },  \"Action\": \"sts:AssumeRole\"  }  ] } ``` 2. Create another policy document and name it as `iam_policy.json` and paste the following content: ``` {  \"Version\": \"2012-10-17\",  \"Statement\": [  {  \"Effect\": \"Allow\",  \"Action\":[  \"logs:CreateLogGroup\",  \"logs:CreateLogStream\",  \"logs:DescribeLogGroups\",  \"logs:DescribeLogStreams\",  \"logs:PutLogEvents\",  \"logs:GetLogEvents\",  \"logs:FilterLogEvents\"  ],  \"Resource\": \"*\"  }  ] } ``` 3. Run the below command to create an IAM role: ``` aws iam create-role --role-name <aws_support_iam_role> --assume-role-policy-document file://<file-path>role_policy_document.json  ``` 4. Run the below command to create an IAM policy: ``` aws iam create-policy --policy-name <ami-policy-name> --policy-document file://<file-path>iam-policy.json ``` 5. Run `attach-group-policy` command using the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the command succeeds, no output is returned): ``` aws iam attach-group-policy --policy-arn arn:aws:iam::<aws-account-id>:policy/<iam-policy-name> --group-name <group-name> ``` 6. Run `describe-vpcs` to get the VpcId available in the selected region: ``` aws ec2 describe-vpcs --region <region> ``` 7. The command output should return the VPC Id available in the selected region. 8. Run `create-flow-logs` to create a flow log for the vpc: ``` aws ec2 create-flow-logs --resource-type VPC --resource-ids <vpc-id> --traffic-type REJECT --log-group-name <log-group-name> --deliver-logs-permission-arn <iam-role-arn> ``` 9. Repeat step 8 for other vpcs available in the selected region. 10. Change the region by updating --region and repeat remediation procedure for other vpcs.",
+          "AuditProcedure": "Perform the following to determine if VPC Flow logs are enabled:  **From Console:**  1. Sign into the management console 2. Select `Services` then `VPC`  3. In the left navigation pane, select `Your VPCs`  4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. Ensure a Log Flow exists that has `Active` in the `Status` column.  **From Command Line:**  1. Run `describe-vpcs` command (OSX/Linux/UNIX) to list the VPC networks available in the current AWS region: ``` aws ec2 describe-vpcs --region <region> --query Vpcs[].VpcId ``` 2. The command output returns the `VpcId` available in the selected region. 3. Run `describe-flow-logs` command (OSX/Linux/UNIX) using the VPC ID to determine if the selected virtual network has the Flow Logs feature enabled: ``` aws ec2 describe-flow-logs --filter \"Name=resource-id,Values=<vpc-id>\" ``` 4. If there are no Flow Logs created for the selected VPC, the command output will return an `empty list []`. 5. Repeat step 3 for other VPCs available in the same region. 6. Change the region by updating `--region` and repeat steps 1 - 5 for all the VPCs.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html"
         }
@@ -901,10 +902,10 @@
           "AssessmentStatus": "Automated",
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.",
           "RationaleStatement": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.",
-          "ImpactStatement": "This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions.\n\nIf an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts.\n\nIn some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name \"cloudtrail_log_group_name\" --filter-name \"<unauthorized_api_calls_metric>\" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern \"{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") || ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") || ($.eventName!=\"HeadBucket\") }\"\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n**Note**: Capture the TopicArn displayed when creating the SNS Topic in Step 2.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn from step 2> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name \"unauthorized_api_calls_alarm\" --metric-name \"unauthorized_api_calls_metric\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with \"Name\":` note `<cloudtrail__name>`\n\n- From value associated with \"CloudWatchLogsLogGroupArn\" note <cloudtrail_log_group_name>\n\nExample: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*, <cloudtrail_log_group_name> would be NewGroup\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <\"Name\" as shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>` that you captured in step 1:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) || ($.sourceIPAddress!=delivery.logs.amazonaws.com) || ($.eventName!=HeadBucket) }\",\n```\n\n4. Note the \"filterName\" `<unauthorized_api_calls_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<unauthorized_api_calls_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName == `unauthorized_api_calls_metric`]\"\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "ImpactStatement": "This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions.  If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts.  In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"cloudtrail_log_group_name\" --filter-name \"<unauthorized_api_calls_metric>\" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern \"{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") || ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") || ($.eventName!=\"HeadBucket\") }\" ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. **Note**: Capture the TopicArn displayed when creating the SNS Topic in Step 2.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn from step 2> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"unauthorized_api_calls_alarm\" --metric-name \"unauthorized_api_calls_metric\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with \"Name\":` note `<cloudtrail__name>`  - From value associated with \"CloudWatchLogsLogGroupArn\" note <cloudtrail_log_group_name>  Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*, <cloudtrail_log_group_name> would be NewGroup  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <\"Name\" as shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>` that you captured in step 1:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) || ($.sourceIPAddress!=delivery.logs.amazonaws.com) || ($.eventName!=HeadBucket) }\", ```  4. Note the \"filterName\" `<unauthorized_api_calls_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<unauthorized_api_calls_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName == `unauthorized_api_calls_metric`]\" ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://aws.amazon.com/sns/:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -923,9 +924,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups.",
           "RationaleStatement": "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for security groups changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name \"<cloudtrail_log_group_name>\" --filter-name \"<security_group_changes_metric>\" --metric-transformations metricName= \"<security_group_changes_metric>\" ,metricNamespace=\"CISBenchmark\",metricValue=1 --filter-pattern \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\"\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name \"<sns_topic_name>\"\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn \"<sns_topic_arn>\" --protocol <protocol_for_sns> --notification-endpoint \"<sns_subscription_endpoints>\"\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name \"<security_group_changes_alarm>\" --metric-name \"<security_group_changes_metric>\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions \"<sns_topic_arn>\"\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\"\n```\n4. Note the `<security_group_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<security_group_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName== '<security_group_changes_metric>']\"\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for security groups changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"<cloudtrail_log_group_name>\" --filter-name \"<security_group_changes_metric>\" --metric-transformations metricName= \"<security_group_changes_metric>\" ,metricNamespace=\"CISBenchmark\",metricValue=1 --filter-pattern \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name \"<sns_topic_name>\" ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn \"<sns_topic_arn>\" --protocol <protocol_for_sns> --notification-endpoint \"<sns_subscription_endpoints>\" ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"<security_group_changes_alarm>\" --metric-name \"<security_group_changes_metric>\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions \"<sns_topic_arn>\" ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ``` 4. Note the `<security_group_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<security_group_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName== '<security_group_changes_metric>']\" ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -944,9 +945,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.",
           "RationaleStatement": "Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for NACL changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<nacl_changes_metric>` --metric-transformations metricName= `<nacl_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<nacl_changes_alarm>` --metric-name `<nacl_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }\"\n```\n4. Note the `<nacl_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<nacl_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<nacl_changes_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for NACL changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<nacl_changes_metric>` --metric-transformations metricName= `<nacl_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<nacl_changes_alarm>` --metric-name `<nacl_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }\" ``` 4. Note the `<nacl_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<nacl_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<nacl_changes_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -965,9 +966,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.",
           "RationaleStatement": "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<network_gw_changes_metric>` --metric-transformations metricName= `<network_gw_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<network_gw_changes_alarm>` --metric-name `<network_gw_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }\"\n```\n4. Note the `<network_gw_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<network_gw_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<network_gw_changes_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<network_gw_changes_metric>` --metric-transformations metricName= `<network_gw_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<network_gw_changes_alarm>` --metric-name `<network_gw_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }\" ``` 4. Note the `<network_gw_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<network_gw_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<network_gw_changes_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -986,9 +987,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.",
           "RationaleStatement": "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for route table changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<route_table_changes_metric>` --metric-transformations metricName= `<route_table_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<route_table_changes_alarm>` --metric-name `<route_table_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }\"\n```\n\n4. Note the `<route_table_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<route_table_changes_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<route_table_changes_metric>`]'\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for route table changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<route_table_changes_metric>` --metric-transformations metricName= `<route_table_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<route_table_changes_alarm>` --metric-name `<route_table_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }\" ```  4. Note the `<route_table_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<route_table_changes_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<route_table_changes_metric>`]' ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1007,9 +1008,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.",
           "RationaleStatement": "Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for VPC changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<vpc_changes_metric>` --metric-transformations metricName= `<vpc_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<vpc_changes_alarm>` --metric-name `<vpc_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }\"\n```\n\n4. Note the `<vpc_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<vpc_changes_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<vpc_changes_metric>`]'\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for VPC changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<vpc_changes_metric>` --metric-transformations metricName= `<vpc_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<vpc_changes_alarm>` --metric-name `<vpc_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }\" ```  4. Note the `<vpc_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<vpc_changes_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<vpc_changes_metric>`]' ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1028,8 +1029,8 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account.",
           "RationaleStatement": "Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for AWS Organizations changes and the `<cloudtrail_log_group_name>` taken from audit step 1:\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<organizations_changes>` --metric-transformations metricName= `<organizations_changes>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }'\n```\n**Note:** You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify:\n```\naws sns create-topic --name <sns_topic_name>\n```\n**Note:** you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2:\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n**Note:** you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2:\n```\naws cloudwatch put-metric-alarm --alarm-name `<organizations_changes>` --metric-name `<organizations_changes>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "1. Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n- Identify the log group name configured for use with active multi-region CloudTrail:\n- List all CloudTrails: \n```\naws cloudtrail describe-trails\n```\n- Identify Multi region Cloudtrails, Trails with `\"IsMultiRegionTrail\"` set to true\n- From value associated with CloudWatchLogsLogGroupArn note <cloudtrail_log_group_name>\n **Example:** for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*, <cloudtrail_log_group_name> would be NewGroup\n\n- Ensure Identified Multi region CloudTrail is active:\n```\naws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>\n```\nEnsure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events:\n```\naws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>\n```\n- Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to true and `ReadWriteType` set to `All`.\n\n2. Get a list of all associated metric filters for this <cloudtrail_log_group_name>:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }\"\n```\n4. Note the `<organizations_changes>` value associated with the filterPattern found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<organizations_changes>` captured in step 4:\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<organizations_changes>`]'\n```\n6. Note the AlarmActions value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic:\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\nExample of valid \"SubscriptionArn\": \n```\n\"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for AWS Organizations changes and the `<cloudtrail_log_group_name>` taken from audit step 1: ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<organizations_changes>` --metric-transformations metricName= `<organizations_changes>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }' ``` **Note:** You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify: ``` aws sns create-topic --name <sns_topic_name> ``` **Note:** you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2: ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ``` **Note:** you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2: ``` aws cloudwatch put-metric-alarm --alarm-name `<organizations_changes>` --metric-name `<organizations_changes>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "1. Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured: - Identify the log group name configured for use with active multi-region CloudTrail: - List all CloudTrails:  ``` aws cloudtrail describe-trails ``` - Identify Multi region Cloudtrails, Trails with `\"IsMultiRegionTrail\"` set to true - From value associated with CloudWatchLogsLogGroupArn note <cloudtrail_log_group_name>  **Example:** for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*, <cloudtrail_log_group_name> would be NewGroup  - Ensure Identified Multi region CloudTrail is active: ``` aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail> ``` Ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events: ``` aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails> ``` - Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to true and `ReadWriteType` set to `All`.  2. Get a list of all associated metric filters for this <cloudtrail_log_group_name>: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }\" ``` 4. Note the `<organizations_changes>` value associated with the filterPattern found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<organizations_changes>` captured in step 4: ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<organizations_changes>`]' ``` 6. Note the AlarmActions value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic: ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. Example of valid \"SubscriptionArn\":  ``` \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html"
         }
@@ -1049,8 +1050,8 @@
           "Description": "Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products.",
           "RationaleStatement": "AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices - enabling you to quickly assess the security posture across your AWS accounts.",
           "ImpactStatement": "It is recommended AWS Security Hub be enabled in all regions. AWS Security Hub requires AWS Config to be enabled.",
-          "RemediationProcedure": "To grant the permissions required to enable Security Hub, attach the Security Hub managed policy AWSSecurityHubFullAccess to an IAM user, group, or role.\n\nEnabling Security Hub\n\n**From Console:**\n\n1. Use the credentials of the IAM identity to sign in to the Security Hub console.\n2. When you open the Security Hub console for the first time, choose Enable AWS Security Hub.\n3. On the welcome page, Security standards list the security standards that Security Hub supports.\n4. Choose Enable Security Hub.\n\n**From Command Line:**\n\n1. Run the enable-security-hub command. To enable the default standards, include `--enable-default-standards`.\n```\naws securityhub enable-security-hub --enable-default-standards\n```\n\n2. To enable the security hub without the default standards, include `--no-enable-default-standards`.\n```\naws securityhub enable-security-hub --no-enable-default-standards\n```",
-          "AuditProcedure": "The process to evaluate AWS Security Hub configuration per region \n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.\n2. On the top right of the console, select the target Region.\n3. If presented with the Security Hub > Summary page then Security Hub is set-up for the selected region.\n4. If presented with Setup Security Hub or Get Started With Security Hub - follow the online instructions.\n5. Repeat steps 2 to 4 for each region.",
+          "RemediationProcedure": "To grant the permissions required to enable Security Hub, attach the Security Hub managed policy AWSSecurityHubFullAccess to an IAM user, group, or role.  Enabling Security Hub  **From Console:**  1. Use the credentials of the IAM identity to sign in to the Security Hub console. 2. When you open the Security Hub console for the first time, choose Enable AWS Security Hub. 3. On the welcome page, Security standards list the security standards that Security Hub supports. 4. Choose Enable Security Hub.  **From Command Line:**  1. Run the enable-security-hub command. To enable the default standards, include `--enable-default-standards`. ``` aws securityhub enable-security-hub --enable-default-standards ```  2. To enable the security hub without the default standards, include `--no-enable-default-standards`. ``` aws securityhub enable-security-hub --no-enable-default-standards ```",
+          "AuditProcedure": "The process to evaluate AWS Security Hub configuration per region   **From Console:**  1. Sign in to the AWS Management Console and open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/. 2. On the top right of the console, select the target Region. 3. If presented with the Security Hub > Summary page then Security Hub is set-up for the selected region. 4. If presented with Setup Security Hub or Get Started With Security Hub - follow the online instructions. 5. Repeat steps 2 to 4 for each region.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-get-started.html:https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-enable.html#securityhub-enable-api:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/securityhub/enable-security-hub.html"
         }
@@ -1070,9 +1071,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).",
           "RationaleStatement": "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the `<cloudtrail_log_group_name>` taken from audit step 1.\n\nUse Command: \n\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }'\n```\n\nOr (To reduce false positives incase Single Sign-On (SSO) is used in organization):\n\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<no_mfa_console_signin_alarm>` --metric-name `<no_mfa_console_signin_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all `CloudTrails`:\n\n```\naws cloudtrail describe-trails\n```\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region `CloudTrail` is active\n\n```\naws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>\n```\n\nEnsure in the output that `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region 'Cloudtrail' captures all Management Events\n\n```\naws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>\n```\n\nEnsure in the output there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }\"\n```\n\nOr (To reduce false positives incase Single Sign-On (SSO) is used in organization):\n\n```\n\"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }\"\n```\n\n4. Note the `<no_mfa_console_signin_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<no_mfa_console_signin_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<no_mfa_console_signin_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored\n-Filter pattern set to `{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\"}` reduces false alarms raised when user logs in via SSO account.",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the `<cloudtrail_log_group_name>` taken from audit step 1.  Use Command:   ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }' ```  Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):  ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<no_mfa_console_signin_alarm>` --metric-name `<no_mfa_console_signin_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all `CloudTrails`:  ``` aws cloudtrail describe-trails ```  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region `CloudTrail` is active  ``` aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail> ```  Ensure in the output that `IsLogging` is set to `TRUE`  - Ensure identified Multi-region 'Cloudtrail' captures all Management Events  ``` aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails> ```  Ensure in the output there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }\" ```  Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):  ``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }\" ```  4. Note the `<no_mfa_console_signin_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<no_mfa_console_signin_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<no_mfa_console_signin_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored -Filter pattern set to `{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\"}` reduces false alarms raised when user logs in via SSO account.",
           "References": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1091,9 +1092,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for 'root' login attempts.",
           "RationaleStatement": "Monitoring for 'root' account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for 'Root' account usage and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<root_usage_metric>` --metric-transformations metricName= `<root_usage_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<root_usage_alarm>` --metric-name `<root_usage_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails:\n\n`aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }\"\n```\n\n4. Note the `<root_usage_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<root_usage_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<root_usage_metric>`]'\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "**Configuring log metric filter and alarm on Multi-region (global) CloudTrail**\n\n- ensures that activities from all regions (used as well as unused) are monitored\n\n- ensures that activities on all supported global services are monitored\n\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for 'Root' account usage and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<root_usage_metric>` --metric-transformations metricName= `<root_usage_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<root_usage_alarm>` --metric-name `<root_usage_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails:  `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }\" ```  4. Note the `<root_usage_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<root_usage_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<root_usage_metric>`]' ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "**Configuring log metric filter and alarm on Multi-region (global) CloudTrail**  - ensures that activities from all regions (used as well as unused) are monitored  - ensures that activities on all supported global services are monitored  - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1112,9 +1113,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.",
           "RationaleStatement": "Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<iam_changes_metric>` --metric-transformations metricName= `<iam_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name `<iam_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails:\n\n`aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}\"\n```\n\n4. Note the `<iam_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<iam_changes_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<iam_changes_metric>`]'\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<iam_changes_metric>` --metric-transformations metricName= `<iam_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name `<iam_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails:  `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}\" ```  4. Note the `<iam_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<iam_changes_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<iam_changes_metric>`]' ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1133,9 +1134,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.",
           "RationaleStatement": "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<cloudtrail_cfg_changes_metric>` --metric-transformations metricName= `<cloudtrail_cfg_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<cloudtrail_cfg_changes_alarm>` --metric-name `<cloudtrail_cfg_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }\"\n```\n\n4. Note the `<cloudtrail_cfg_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<cloudtrail_cfg_changes_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<cloudtrail_cfg_changes_metric>`]'\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<cloudtrail_cfg_changes_metric>` --metric-transformations metricName= `<cloudtrail_cfg_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<cloudtrail_cfg_changes_alarm>` --metric-name `<cloudtrail_cfg_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }\" ```  4. Note the `<cloudtrail_cfg_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<cloudtrail_cfg_changes_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<cloudtrail_cfg_changes_metric>`]' ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1154,9 +1155,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.",
           "RationaleStatement": "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<console_signin_failure_metric>` --metric-transformations metricName= `<console_signin_failure_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }'\n```\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<console_signin_failure_alarm>` --metric-name `<console_signin_failure_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }\"\n```\n\n4. Note the `<console_signin_failure_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<console_signin_failure_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<console_signin_failure_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<console_signin_failure_metric>` --metric-transformations metricName= `<console_signin_failure_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<console_signin_failure_alarm>` --metric-name `<console_signin_failure_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }\" ```  4. Note the `<console_signin_failure_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<console_signin_failure_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<console_signin_failure_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1175,9 +1176,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.",
           "RationaleStatement": "Data encrypted with disabled or deleted keys will no longer be accessible.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<disable_or_delete_cmk_changes_metric>` --metric-transformations metricName= `<disable_or_delete_cmk_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }'\n```\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<disable_or_delete_cmk_changes_alarm>` --metric-name `<disable_or_delete_cmk_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }\"\n```\n4. Note the `<disable_or_delete_cmk_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<disable_or_delete_cmk_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<disable_or_delete_cmk_changes_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<disable_or_delete_cmk_changes_metric>` --metric-transformations metricName= `<disable_or_delete_cmk_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<disable_or_delete_cmk_changes_alarm>` --metric-name `<disable_or_delete_cmk_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }\" ``` 4. Note the `<disable_or_delete_cmk_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<disable_or_delete_cmk_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<disable_or_delete_cmk_changes_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1196,9 +1197,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.",
           "RationaleStatement": "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<s3_bucket_policy_changes_metric>` --metric-transformations metricName= `<s3_bucket_policy_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<s3_bucket_policy_changes_alarm>` --metric-name `<s3_bucket_policy_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }\"\n```\n4. Note the `<s3_bucket_policy_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<s3_bucket_policy_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<s3_bucket_policy_changes_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<s3_bucket_policy_changes_metric>` --metric-transformations metricName= `<s3_bucket_policy_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<s3_bucket_policy_changes_alarm>` --metric-name `<s3_bucket_policy_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }\" ``` 4. Note the `<s3_bucket_policy_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<s3_bucket_policy_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<s3_bucket_policy_changes_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1217,9 +1218,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.",
           "RationaleStatement": "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<aws_config_changes_metric>` --metric-transformations metricName= `<aws_config_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<aws_config_changes_alarm>` --metric-name `<aws_config_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }\"\n```\n4. Note the `<aws_config_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<aws_config_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<aws_config_changes_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<aws_config_changes_metric>` --metric-transformations metricName= `<aws_config_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<aws_config_changes_alarm>` --metric-name `<aws_config_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }\" ``` 4. Note the `<aws_config_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<aws_config_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<aws_config_changes_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1240,8 +1241,8 @@
           "Description": "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.",
           "RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\nPerform the following:\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click `Network ACLs`\n3. For each network ACL to remediate, perform the following:\n - Select the network ACL\n - Click the `Inbound Rules` tab\n - Click `Edit inbound rules`\n - Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule\n - Click `Save`",
-          "AuditProcedure": "**From Console:**\n\nPerform the following to determine if the account is configured as prescribed:\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click `Network ACLs`\n3. For each network ACL, perform the following:\n - Select the network ACL\n - Click the `Inbound Rules` tab\n - Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` and shows `ALLOW`\n\n**Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports",
+          "RemediationProcedure": "**From Console:**  Perform the following: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL to remediate, perform the following:  - Select the network ACL  - Click the `Inbound Rules` tab  - Click `Edit inbound rules`  - Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule  - Click `Save`",
+          "AuditProcedure": "**From Console:**  Perform the following to determine if the account is configured as prescribed: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL, perform the following:  - Select the network ACL  - Click the `Inbound Rules` tab  - Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` and shows `ALLOW`  **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison"
         }
@@ -1263,8 +1264,8 @@
           "Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.",
           "RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.",
           "ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the 0.0.0.0/0 inbound rule.",
-          "RemediationProcedure": "Perform the following to implement the prescribed state:\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. In the left pane, click `Security Groups` \n3. For each security group, perform the following:\n1. Select the security group\n2. Click the `Inbound Rules` tab\n3. Click the `Edit inbound rules` button\n4. Identify the rules to be edited or removed\n5. Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule\n6. Click `Save rules`",
-          "AuditProcedure": "Perform the following to determine if the account is configured as prescribed:\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. In the left pane, click `Security Groups` \n3. For each security group, perform the following:\n1. Select the security group\n2. Click the `Inbound Rules` tab\n3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` \n\n**Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.",
+          "RemediationProcedure": "Perform the following to implement the prescribed state:  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`  3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`",
+          "AuditProcedure": "Perform the following to determine if the account is configured as prescribed:  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`  3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0`   **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule"
         }
@@ -1286,8 +1287,8 @@
           "Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.",
           "RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.",
           "ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the ::/0 inbound rule.",
-          "RemediationProcedure": "Perform the following to implement the prescribed state:\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. In the left pane, click `Security Groups` \n3. For each security group, perform the following:\n1. Select the security group\n2. Click the `Inbound Rules` tab\n3. Click the `Edit inbound rules` button\n4. Identify the rules to be edited or removed\n5. Either A) update the Source field to a range other than ::/0, or, B) Click `Delete` to remove the offending inbound rule\n6. Click `Save rules`",
-          "AuditProcedure": "Perform the following to determine if the account is configured as prescribed:\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. In the left pane, click `Security Groups` \n3. For each security group, perform the following:\n1. Select the security group\n2. Click the `Inbound Rules` tab\n3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `::/0` \n\n**Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.",
+          "RemediationProcedure": "Perform the following to implement the prescribed state:  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`  3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than ::/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`",
+          "AuditProcedure": "Perform the following to determine if the account is configured as prescribed:  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`  3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `::/0`   **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule"
         }
@@ -1304,11 +1305,11 @@
           "Section": "5. Networking",
           "Profile": "Level 2",
           "AssessmentStatus": "Automated",
-          "Description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.\n\nThe default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.\n\n**NOTE:** When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.",
+          "Description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.  The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.  **NOTE:** When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.",
           "RationaleStatement": "Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.",
           "ImpactStatement": "Implementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.",
-          "RemediationProcedure": "Security Group Members\n\nPerform the following to implement the prescribed state:\n\n1. Identify AWS resources that exist within the default security group\n2. Create a set of least privilege security groups for those resources\n3. Place the resources in those security groups\n4. Remove the resources noted in #1 from the default security group\n\nSecurity Group State\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:\n3. In the left pane, click `Security Groups` \n4. For each default security group, perform the following:\n1. Select the `default` security group\n2. Click the `Inbound Rules` tab\n3. Remove any inbound rules\n4. Click the `Outbound Rules` tab\n5. Remove any Outbound rules\n\nRecommended:\n\nIAM groups allow you to edit the \"name\" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to \"DO NOT USE. DO NOT ADD RULES\"",
-          "AuditProcedure": "Perform the following to determine if the account is configured as prescribed:\n\nSecurity Group State\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:\n3. In the left pane, click `Security Groups` \n4. For each default security group, perform the following:\n1. Select the `default` security group\n2. Click the `Inbound Rules` tab\n3. Ensure no rule exist\n4. Click the `Outbound Rules` tab\n5. Ensure no rules exist\n\nSecurity Group Members\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region:\n3. In the left pane, click `Security Groups` \n4. Copy the id of the default security group.\n5. Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home\n6. In the filter column type 'Security Group ID : < security group id from #4 >'",
+          "RemediationProcedure": "Security Group Members  Perform the following to implement the prescribed state:  1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security group  Security Group State  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`  4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Remove any inbound rules 4. Click the `Outbound Rules` tab 5. Remove any Outbound rules  Recommended:  IAM groups allow you to edit the \"name\" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to \"DO NOT USE. DO NOT ADD RULES\"",
+          "AuditProcedure": "Perform the following to determine if the account is configured as prescribed:  Security Group State  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`  4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exist 4. Click the `Outbound Rules` tab 5. Ensure no rules exist  Security Group Members  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`  4. Copy the id of the default security group. 5. Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home 6. In the filter column type 'Security Group ID : < security group id from #4 >'",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group"
         }
@@ -1328,8 +1329,8 @@
           "Description": "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.",
           "RationaleStatement": "Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.\n\n**From Command Line:**\n\n1. For each _<route\\_table\\_id>_ containing routes non compliant with your routing policy (which grants more than desired \"least access\"), delete the non compliant route:\n```\naws ec2 delete-route --route-table-id <route_table_id> --destination-cidr-block <non_compliant_destination_CIDR>\n```\n 2. Create a new compliant route:\n```\naws ec2 create-route --route-table-id <route_table_id> --destination-cidr-block <compliant_destination_CIDR> --vpc-peering-connection-id <peering_connection_id>\n```",
-          "AuditProcedure": "Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.\n\n**From Command Line:**\n\n1. List all the route tables from a VPC and check if \"GatewayId\" is pointing to a _<peering\\_connection\\_id>_ (e.g. pcx-1a2b3c4d) and if \"DestinationCidrBlock\" is as specific as desired.\n```\naws ec2 describe-route-tables --filter \"Name=vpc-id,Values=<vpc_id>\" --query \"RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}\"\n```",
+          "RemediationProcedure": "Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.  **From Command Line:**  1. For each _<route\\_table\\_id>_ containing routes non compliant with your routing policy (which grants more than desired \"least access\"), delete the non compliant route: ``` aws ec2 delete-route --route-table-id <route_table_id> --destination-cidr-block <non_compliant_destination_CIDR> ```  2. Create a new compliant route: ``` aws ec2 create-route --route-table-id <route_table_id> --destination-cidr-block <compliant_destination_CIDR> --vpc-peering-connection-id <peering_connection_id> ```",
+          "AuditProcedure": "Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.  **From Command Line:**  1. List all the route tables from a VPC and check if \"GatewayId\" is pointing to a _<peering\\_connection\\_id>_ (e.g. pcx-1a2b3c4d) and if \"DestinationCidrBlock\" is as specific as desired. ``` aws ec2 describe-route-tables --filter \"Name=vpc-id,Values=<vpc_id>\" --query \"RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}\" ```",
           "AdditionalInformation": "If an organization has AWS transit gateway implemented in their VPC architecture they should look to apply the recommendation above for \"least access\" routing architecture at the AWS transit gateway level in combination with what must be implemented at the standard VPC route table. More specifically, to route traffic between two or more VPCs via a transit gateway VPCs must have an attachment to a transit gateway route table as well as a route, therefore to avoid routing traffic between VPCs an attachment to the transit gateway route table should only be added where there is an intention to route traffic between the VPCs. As transit gateways are able to host multiple route tables it is possible to group VPCs by attaching them to a common route table.",
           "References": "https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html:https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-peering-connection.html"
         }

prowler/compliance/aws/cis_2.0_aws.json

@@ -15,11 +15,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Manual",
-          "Description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.\n\nAn AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.",
+          "Description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.  An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.",
           "RationaleStatement": "If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers' and AWS' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.",
           "ImpactStatement": "",
-          "RemediationProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing ).\n\n1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/.\n2. On the navigation bar, choose your account name, and then choose `My Account`.\n3. On the `Account Settings` page, next to `Account Settings`, choose `Edit`.\n4. Next to the field that you need to update, choose `Edit`.\n5. After you have entered your changes, choose `Save changes`.\n6. After you have made your changes, choose `Done`.\n7. To edit your contact information, under `Contact Information`, choose `Edit`.\n8. For the fields that you want to change, type your updated information, and then choose `Update`.",
-          "AuditProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing )\n\n1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/.\n2. On the navigation bar, choose your account name, and then choose `My Account`.\n3. On the `Account Settings` page, review and verify the current details.\n4. Under `Contact Information`, review and verify the current details.",
+          "RemediationProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing ).  1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, next to `Account Settings`, choose `Edit`. 4. Next to the field that you need to update, choose `Edit`. 5. After you have entered your changes, choose `Save changes`. 6. After you have made your changes, choose `Done`. 7. To edit your contact information, under `Contact Information`, choose `Edit`. 8. For the fields that you want to change, type your updated information, and then choose `Update`.",
+          "AuditProcedure": "This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:\\*Billing )  1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/. 2. On the navigation bar, choose your account name, and then choose `My Account`. 3. On the `Account Settings` page, review and verify the current details. 4. Under `Contact Information`, review and verify the current details.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info"
         }
@@ -39,9 +39,9 @@
           "Description": "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.",
           "RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.",
           "ImpactStatement": "AWS will soon end support for SMS multi-factor authentication (MFA). New customers are not allowed to use this feature. We recommend that existing customers switch to one of the following alternative methods of MFA.",
-          "RemediationProcedure": "Perform the following to enable MFA:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/'\n2. In the left pane, select `Users`.\n3. In the `User Name` list, choose the name of the intended MFA user.\n4. Choose the `Security Credentials` tab, and then choose `Manage MFA Device`.\n5. In the `Manage MFA Device wizard`, choose `Virtual MFA` device, and then choose `Continue`.\n\n IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.\n\n6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).\n7. Determine whether the MFA app supports QR codes, and then do one of the following:\n\n - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.\n - In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.\n\n When you are finished, the virtual MFA device starts generating one-time passwords.\n\n8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second `one-time password` into the `MFA Code 2 box`.\n\n9. Click `Assign MFA`.",
-          "AuditProcedure": "Perform the following to determine if a MFA device is enabled for all IAM users having a console password:\n\n**From Console:**\n\n1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. In the left pane, select `Users` \n3. If the `MFA` or `Password age` columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click `Close`.\n4. Ensure that for each user where the `Password age` column shows a password age, the `MFA` column shows `Virtual`, `U2F Security Key`, or `Hardware`.\n\n**From Command Line:**\n\n1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status:\n```\n aws iam generate-credential-report\n```\n```\n aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8 \n```\n2. The output of this command will produce a table similar to the following:\n```\n user,password_enabled,mfa_active\n elise,false,false\n brandon,true,true\n rakesh,false,false\n helene,false,false\n paras,true,true\n anitha,false,false \n```\n3. For any column having `password_enabled` set to `true` , ensure `mfa_active` is also set to `true.`",
-          "AdditionalInformation": "**Forced IAM User Self-Service Remediation**\n\nAmazon has published a pattern that forces users to self-service setup MFA before they have access to their complete permissions set. Until they complete this step, they cannot access their full permissions. This pattern can be used on new AWS accounts. It can also be used on existing accounts - it is recommended users are given instructions and a grace period to accomplish MFA enrollment before active enforcement on existing AWS accounts.",
+          "RemediationProcedure": "Perform the following to enable MFA:  **From Console:**  1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/' 2. In the left pane, select `Users`. 3. In the `User Name` list, choose the name of the intended MFA user. 4. Choose the `Security Credentials` tab, and then choose `Manage MFA Device`. 5. In the `Manage MFA Device wizard`, choose `Virtual MFA` device, and then choose `Continue`.   IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.  6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following:   - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.  - In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.   When you are finished, the virtual MFA device starts generating one-time passwords.  8. In the `Manage MFA Device wizard`, in the `MFA Code 1 box`, type the `one-time password` that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second `one-time password` into the `MFA Code 2 box`.  9. Click `Assign MFA`.",
+          "AuditProcedure": "Perform the following to determine if a MFA device is enabled for all IAM users having a console password:  **From Console:**  1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left pane, select `Users`  3. If the `MFA` or `Password age` columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click `Close`. 4. Ensure that for each user where the `Password age` column shows a password age, the `MFA` column shows `Virtual`, `U2F Security Key`, or `Hardware`.  **From Command Line:**  1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status: ```  aws iam generate-credential-report ``` ```  aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8  ``` 2. The output of this command will produce a table similar to the following: ```  user,password_enabled,mfa_active  elise,false,false  brandon,true,true  rakesh,false,false  helene,false,false  paras,true,true  anitha,false,false  ``` 3. For any column having `password_enabled` set to `true` , ensure `mfa_active` is also set to `true.`",
+          "AdditionalInformation": "**Forced IAM User Self-Service Remediation**  Amazon has published a pattern that forces users to self-service setup MFA before they have access to their complete permissions set. Until they complete this step, they cannot access their full permissions. This pattern can be used on new AWS accounts. It can also be used on existing accounts - it is recommended users are given instructions and a grace period to accomplish MFA enrollment before active enforcement on existing AWS accounts.",
           "References": "https://tools.ietf.org/html/rfc6238:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users"
         }
       ]
@@ -57,11 +57,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require. \n\nProgrammatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. \n\nAWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.",
-          "RationaleStatement": "Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.\n\n**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.",
+          "Description": "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require.   Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.   AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.",
+          "RationaleStatement": "Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.  **Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to delete access keys that do not pass the audit:\n\n**From Console:**\n\n1. Login to the AWS Management Console:\n2. Click `Services` \n3. Click `IAM` \n4. Click on `Users` \n5. Click on `Security Credentials` \n6. As an Administrator \n - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.\n7. As an IAM User\n - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.\n\n**From Command Line:**\n```\naws iam delete-access-key --access-key-id <access-key-id-listed> --user-name <users-name>\n```",
-          "AuditProcedure": "Perform the following to determine if access keys were created upon user creation and are being used and rotated as prescribed:\n\n**From Console:**\n\n1. Login to the AWS Management Console\n2. Click `Services` \n3. Click `IAM` \n4. Click on a User where column `Password age` and `Access key age` is not set to `None`\n5. Click on `Security credentials` Tab\n6. Compare the user 'Creation time` to the Access Key `Created` date.\n6. For any that match, the key was created during initial user setup.\n\n- Keys that were created at the same time as the user profile and do not have a last used date should be deleted. Refer to the remediation below.\n\n**From Command Line:**\n\n1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization:\n```\n aws iam generate-credential-report\n```\n```\n aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16\n```\n2. The output of this command will produce a table similar to the following:\n```\nuser,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_date\n elise,false,true,2015-04-16T15:14:00+00:00,false,N/A\n brandon,true,true,N/A,false,N/A\n rakesh,false,false,N/A,false,N/A\n helene,false,true,2015-11-18T17:47:00+00:00,false,N/A\n paras,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00\n anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A \n```\n3. For any user having `password_enabled` set to `true` AND `access_key_last_used_date` set to `N/A` refer to the remediation below.",
+          "RemediationProcedure": "Perform the following to delete access keys that do not pass the audit:  **From Console:**  1. Login to the AWS Management Console: 2. Click `Services`  3. Click `IAM`  4. Click on `Users`  5. Click on `Security Credentials`  6. As an Administrator   - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used. 7. As an IAM User  - Click on the X `(Delete)` for keys that were created at the same time as the user profile but have not been used.  **From Command Line:** ``` aws iam delete-access-key --access-key-id <access-key-id-listed> --user-name <users-name> ```",
+          "AuditProcedure": "Perform the following to determine if access keys were created upon user creation and are being used and rotated as prescribed:  **From Console:**  1. Login to the AWS Management Console 2. Click `Services`  3. Click `IAM`  4. Click on a User where column `Password age` and `Access key age` is not set to `None` 5. Click on `Security credentials` Tab 6. Compare the user 'Creation time` to the Access Key `Created` date. 6. For any that match, the key was created during initial user setup.  - Keys that were created at the same time as the user profile and do not have a last used date should be deleted. Refer to the remediation below.  **From Command Line:**  1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization: ```  aws iam generate-credential-report ``` ```  aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16 ``` 2. The output of this command will produce a table similar to the following: ``` user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_date  elise,false,true,2015-04-16T15:14:00+00:00,false,N/A  brandon,true,true,N/A,false,N/A  rakesh,false,false,N/A,false,N/A  helene,false,true,2015-11-18T17:47:00+00:00,false,N/A  paras,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00  anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A  ``` 3. For any user having `password_enabled` set to `true` AND `access_key_last_used_date` set to `N/A` refer to the remediation below.",
           "AdditionalInformation": "Credential report does not appear to contain \"Key Creation Date\"",
           "References": "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html"
         }
@@ -71,7 +71,8 @@
       "Id": "1.12",
       "Description": "Ensure credentials unused for 45 days or greater are disabled",
       "Checks": [
-        "iam_disable_45_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ],
       "Attributes": [
         {
@@ -81,8 +82,8 @@
           "Description": "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.",
           "RationaleStatement": "Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\nPerform the following to manage Unused Password (IAM user console access)\n\n1. Login to the AWS Management Console:\n2. Click `Services` \n3. Click `IAM` \n4. Click on `Users` \n5. Click on `Security Credentials` \n6. Select user whose `Console last sign-in` is greater than 45 days\n7. Click `Security credentials`\n8. In section `Sign-in credentials`, `Console password` click `Manage` \n9. Under Console Access select `Disable`\n10.Click `Apply`\n\nPerform the following to deactivate Access Keys:\n\n1. Login to the AWS Management Console:\n2. Click `Services` \n3. Click `IAM` \n4. Click on `Users` \n5. Click on `Security Credentials` \n6. Select any access keys that are over 45 days old and that have been used and \n - Click on `Make Inactive`\n7. Select any access keys that are over 45 days old and that have not been used and \n - Click the X to `Delete`",
-          "AuditProcedure": "Perform the following to determine if unused credentials exist:\n\n**From Console:**\n\n1. Login to the AWS Management Console\n2. Click `Services` \n3. Click `IAM`\n4. Click on `Users`\n5. Click the `Settings` (gear) icon.\n6. Select `Console last sign-in`, `Access key last used`, and `Access Key Id`\n7. Click on `Close` \n8. Check and ensure that `Console last sign-in` is less than 45 days ago.\n\n**Note** - `Never` means the user has never logged in.\n\n9. Check and ensure that `Access key age` is less than 45 days and that `Access key last used` does not say `None`\n\nIf the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.\n\n**From Command Line:**\n\n**Download Credential Report:**\n\n1. Run the following commands:\n```\n aws iam generate-credential-report\n\n aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^<root_account>'\n```\n\n**Ensure unused credentials do not exist:**\n\n2. For each user having `password_enabled` set to `TRUE` , ensure `password_last_used_date` is less than `45` days ago.\n\n- When `password_enabled` is set to `TRUE` and `password_last_used` is set to `No_Information` , ensure `password_last_changed` is less than 45 days ago.\n\n3. For each user having an `access_key_1_active` or `access_key_2_active` to `TRUE` , ensure the corresponding `access_key_n_last_used_date` is less than `45` days ago.\n\n- When a user having an `access_key_x_active` (where x is 1 or 2) to `TRUE` and corresponding access_key_x_last_used_date is set to `N/A', ensure `access_key_x_last_rotated` is less than 45 days ago.",
+          "RemediationProcedure": "**From Console:**  Perform the following to manage Unused Password (IAM user console access)  1. Login to the AWS Management Console: 2. Click `Services`  3. Click `IAM`  4. Click on `Users`  5. Click on `Security Credentials`  6. Select user whose `Console last sign-in` is greater than 45 days 7. Click `Security credentials` 8. In section `Sign-in credentials`, `Console password` click `Manage`  9. Under Console Access select `Disable` 10.Click `Apply`  Perform the following to deactivate Access Keys:  1. Login to the AWS Management Console: 2. Click `Services`  3. Click `IAM`  4. Click on `Users`  5. Click on `Security Credentials`  6. Select any access keys that are over 45 days old and that have been used and   - Click on `Make Inactive` 7. Select any access keys that are over 45 days old and that have not been used and   - Click the X to `Delete`",
+          "AuditProcedure": "Perform the following to determine if unused credentials exist:  **From Console:**  1. Login to the AWS Management Console 2. Click `Services`  3. Click `IAM` 4. Click on `Users` 5. Click the `Settings` (gear) icon. 6. Select `Console last sign-in`, `Access key last used`, and `Access Key Id` 7. Click on `Close`  8. Check and ensure that `Console last sign-in` is less than 45 days ago.  **Note** - `Never` means the user has never logged in.  9. Check and ensure that `Access key age` is less than 45 days and that `Access key last used` does not say `None`  If the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.  **From Command Line:**  **Download Credential Report:**  1. Run the following commands: ```  aws iam generate-credential-report   aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | grep -v '^<root_account>' ```  **Ensure unused credentials do not exist:**  2. For each user having `password_enabled` set to `TRUE` , ensure `password_last_used_date` is less than `45` days ago.  - When `password_enabled` is set to `TRUE` and `password_last_used` is set to `No_Information` , ensure `password_last_changed` is less than 45 days ago.  3. For each user having an `access_key_1_active` or `access_key_2_active` to `TRUE` , ensure the corresponding `access_key_n_last_used_date` is less than `45` days ago.  - When a user having an `access_key_x_active` (where x is 1 or 2) to `TRUE` and corresponding access_key_x_last_used_date is set to `N/A', ensure `access_key_x_last_rotated` is less than 45 days ago.",
           "AdditionalInformation": "<root_account> is excluded in the audit since the root account should not be used for day to day business and would likely be unused for more than 45 days.",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html"
         }
@@ -102,8 +103,8 @@
           "Description": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)",
           "RationaleStatement": "Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`.\n2. In the left navigation panel, choose `Users`.\n3. Click on the IAM user name that you want to examine.\n4. On the IAM user configuration page, select `Security Credentials` tab.\n5. In `Access Keys` section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.\n6. In the same `Access Keys` section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the `Make Inactive` link.\n7. If you receive the `Change Key Status` confirmation box, click `Deactivate` to switch off the selected key.\n8. Repeat steps no. 3 – 7 for each IAM user in your AWS account.\n\n**From Command Line:**\n\n1. Using the IAM user and access key information provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.\n\n2. Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user\n\n**Note** - the command does not return any output:\n```\naws iam update-access-key --access-key-id <access-key-id> --status Inactive --user-name <user-name>\n```\n3. To confirm that the selected access key pair has been successfully `deactivated` run the `list-access-keys` audit command again for that IAM User:\n```\naws iam list-access-keys --user-name <user-name>\n```\n- The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.\n\n4. Repeat steps no. 1 – 3 for each IAM user in your AWS account.",
-          "AuditProcedure": "**From Console:**\n\n1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`.\n2. In the left navigation panel, choose `Users`.\n3. Click on the IAM user name that you want to examine.\n4. On the IAM user configuration page, select `Security Credentials` tab.\n5. Under `Access Keys` section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated then the users access configuration does not adhere to security best practices and the risk of accidental exposures increases.\n- Repeat steps no. 3 – 5 for each IAM user in your AWS account.\n\n**From Command Line:**\n\n1. Run `list-users` command to list all IAM users within your account:\n```\naws iam list-users --query \"Users[*].UserName\"\n```\nThe command output should return an array that contains all your IAM user names.\n\n2. Run `list-access-keys` command using the IAM user name list to return the current status of each access key associated with the selected IAM user:\n```\naws iam list-access-keys --user-name <user-name>\n```\nThe command output should expose the metadata `(\"Username\", \"AccessKeyId\", \"Status\", \"CreateDate\")` for each access key on that user account.\n\n3. Check the `Status` property value for each key returned to determine each keys current state. If the `Status` property value for more than one IAM access key is set to `Active`, the user access configuration does not adhere to this recommendation, refer to the remediation below.\n\n- Repeat steps no. 2 and 3 for each IAM user in your AWS account.",
+          "RemediationProcedure": "**From Console:**  1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. In `Access Keys` section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working. 6. In the same `Access Keys` section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the `Make Inactive` link. 7. If you receive the `Change Key Status` confirmation box, click `Deactivate` to switch off the selected key. 8. Repeat steps no. 3 – 7 for each IAM user in your AWS account.  **From Command Line:**  1. Using the IAM user and access key information provided in the `Audit CLI`, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.  2. Run the `update-access-key` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user  **Note** - the command does not return any output: ``` aws iam update-access-key --access-key-id <access-key-id> --status Inactive --user-name <user-name> ``` 3. To confirm that the selected access key pair has been successfully `deactivated` run the `list-access-keys` audit command again for that IAM User: ``` aws iam list-access-keys --user-name <user-name> ``` - The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) `Status` is set to `Inactive`, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.  4. Repeat steps no. 1 – 3 for each IAM user in your AWS account.",
+          "AuditProcedure": "**From Console:**  1. Sign in to the AWS Management Console and navigate to IAM dashboard at `https://console.aws.amazon.com/iam/`. 2. In the left navigation panel, choose `Users`. 3. Click on the IAM user name that you want to examine. 4. On the IAM user configuration page, select `Security Credentials` tab. 5. Under `Access Keys` section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated then the users access configuration does not adhere to security best practices and the risk of accidental exposures increases. - Repeat steps no. 3 – 5 for each IAM user in your AWS account.  **From Command Line:**  1. Run `list-users` command to list all IAM users within your account: ``` aws iam list-users --query \"Users[*].UserName\" ``` The command output should return an array that contains all your IAM user names.  2. Run `list-access-keys` command using the IAM user name list to return the current status of each access key associated with the selected IAM user: ``` aws iam list-access-keys --user-name <user-name> ``` The command output should expose the metadata `(\"Username\", \"AccessKeyId\", \"Status\", \"CreateDate\")` for each access key on that user account.  3. Check the `Status` property value for each key returned to determine each keys current state. If the `Status` property value for more than one IAM access key is set to `Active`, the user access configuration does not adhere to this recommendation, refer to the remediation below.  - Repeat steps no. 2 and 3 for each IAM user in your AWS account.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html"
         }
@@ -121,10 +122,10 @@
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
           "Description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.",
-          "RationaleStatement": "Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.\n\nAccess keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.",
+          "RationaleStatement": "Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.  Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to rotate access keys:\n\n**From Console:**\n\n1. Go to Management Console (https://console.aws.amazon.com/iam)\n2. Click on `Users`\n3. Click on `Security Credentials` \n4. As an Administrator \n - Click on `Make Inactive` for keys that have not been rotated in `90` Days\n5. As an IAM User\n - Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days\n6. Click on `Create Access Key` \n7. Update programmatic call with new Access Key credentials\n\n**From Command Line:**\n\n1. While the first access key is still active, create a second access key, which is active by default. Run the following command:\n```\naws iam create-access-key\n```\n\nAt this point, the user has two active access keys.\n\n2. Update all applications and tools to use the new access key.\n3. Determine whether the first access key is still in use by using this command:\n```\naws iam get-access-key-last-used\n```\n4. One approach is to wait several days and then check the old access key for any use before proceeding.\n\nEven if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command:\n```\naws iam update-access-key\n```\n5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.\n\n6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command:\n```\naws iam delete-access-key\n```",
-          "AuditProcedure": "Perform the following to determine if access keys are rotated as prescribed:\n\n**From Console:**\n\n1. Go to Management Console (https://console.aws.amazon.com/iam)\n2. Click on `Users`\n3. Click `setting` icon\n4. Select `Console last sign-in`\n5. Click `Close`\n6. Ensure that `Access key age` is less than 90 days ago. note) `None` in the `Access key age` means the user has not used the access key.\n\n**From Command Line:**\n\n```\naws iam generate-credential-report\naws iam get-credential-report --query 'Content' --output text | base64 -d\n```\nThe `access_key_1_last_rotated` field in this file notes The date and time, in ISO 8601 date-time format, when the user's access key was created or last changed. If the user does not have an active access key, the value in this field is N/A (not applicable).",
+          "RemediationProcedure": "Perform the following to rotate access keys:  **From Console:**  1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click on `Security Credentials`  4. As an Administrator   - Click on `Make Inactive` for keys that have not been rotated in `90` Days 5. As an IAM User  - Click on `Make Inactive` or `Delete` for keys which have not been rotated or used in `90` Days 6. Click on `Create Access Key`  7. Update programmatic call with new Access Key credentials  **From Command Line:**  1. While the first access key is still active, create a second access key, which is active by default. Run the following command: ``` aws iam create-access-key ```  At this point, the user has two active access keys.  2. Update all applications and tools to use the new access key. 3. Determine whether the first access key is still in use by using this command: ``` aws iam get-access-key-last-used ``` 4. One approach is to wait several days and then check the old access key for any use before proceeding.  Even if step Step 3 indicates no use of the old key, it is recommended that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command: ``` aws iam update-access-key ``` 5. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step Step 2 and update this application to use the new key.  6. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command: ``` aws iam delete-access-key ```",
+          "AuditProcedure": "Perform the following to determine if access keys are rotated as prescribed:  **From Console:**  1. Go to Management Console (https://console.aws.amazon.com/iam) 2. Click on `Users` 3. Click `setting` icon 4. Select `Console last sign-in` 5. Click `Close` 6. Ensure that `Access key age` is less than 90 days ago. note) `None` in the `Access key age` means the user has not used the access key.  **From Command Line:**  ``` aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d ``` The `access_key_1_last_rotated` field in this file notes The date and time, in ISO 8601 date-time format, when the user's access key was created or last changed. If the user does not have an active access key, the value in this field is N/A (not applicable).",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html:https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html"
         }
@@ -141,11 +142,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. \n\nOnly the third implementation is recommended.",
+          "Description": "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy.   Only the third implementation is recommended.",
           "RationaleStatement": "Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to create an IAM group and assign a policy to it:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. In the navigation pane, click `Groups` and then click `Create New Group` .\n3. In the `Group Name` box, type the name of the group and then click `Next Step` .\n4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step` .\n5. Click `Create Group` \n\nPerform the following to add a user to a given group:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. In the navigation pane, click `Groups` \n3. Select the group to add a user to\n4. Click `Add Users To Group` \n5. Select the users to be added to the group\n6. Click `Add Users` \n\nPerform the following to remove a direct association between a user and policy:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. In the left navigation pane, click on Users\n3. For each user:\n - Select the user\n - Click on the `Permissions` tab\n - Expand `Permissions policies` \n - Click `X` for each policy; then click Detach or Remove (depending on policy type)",
-          "AuditProcedure": "Perform the following to determine if an inline policy is set or a policy is directly attached to users:\n\n1. Run the following to get a list of IAM users:\n```\n aws iam list-users --query 'Users[*].UserName' --output text \n```\n2. For each user returned, run the following command to determine if any policies are attached to them:\n```\n aws iam list-attached-user-policies --user-name <iam_user>\n aws iam list-user-policies --user-name <iam_user> \n```\n3. If any policies are returned, the user has an inline policy or direct policy attachment.",
+          "RemediationProcedure": "Perform the following to create an IAM group and assign a policy to it:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups` and then click `Create New Group` . 3. In the `Group Name` box, type the name of the group and then click `Next Step` . 4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step` . 5. Click `Create Group`   Perform the following to add a user to a given group:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click `Groups`  3. Select the group to add a user to 4. Click `Add Users To Group`  5. Select the users to be added to the group 6. Click `Add Users`   Perform the following to remove a direct association between a user and policy:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the left navigation pane, click on Users 3. For each user:  - Select the user  - Click on the `Permissions` tab  - Expand `Permissions policies`   - Click `X` for each policy; then click Detach or Remove (depending on policy type)",
+          "AuditProcedure": "Perform the following to determine if an inline policy is set or a policy is directly attached to users:  1. Run the following to get a list of IAM users: ```  aws iam list-users --query 'Users[*].UserName' --output text  ``` 2. For each user returned, run the following command to determine if any policies are attached to them: ```  aws iam list-attached-user-policies --user-name <iam_user>  aws iam list-user-policies --user-name <iam_user>  ``` 3. If any policies are returned, the user has an inline policy or direct policy attachment.",
           "AdditionalInformation": "",
           "References": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html"
         }
@@ -164,10 +165,10 @@
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
           "Description": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant _least privilege_ -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform _only_ those tasks, instead of allowing full administrative privileges.",
-          "RationaleStatement": "It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.\n\nProviding full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.\n\nIAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"\\*\" over \"Resource\": \"\\*\" should be removed.",
+          "RationaleStatement": "It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.  Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.  IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"\\*\" over \"Resource\": \"\\*\" should be removed.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\nPerform the following to detach the policy that has full administrative privileges:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. In the navigation pane, click Policies and then search for the policy name found in the audit step.\n3. Select the policy that needs to be deleted.\n4. In the policy action menu, select first `Detach` \n5. Select all Users, Groups, Roles that have this policy attached\n6. Click `Detach Policy` \n7. In the policy action menu, select `Detach` \n\n**From Command Line:**\n\nPerform the following to detach the policy that has full administrative privileges as found in the audit step:\n\n1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.\n\n```\n aws iam list-entities-for-policy --policy-arn <policy_arn>\n```\n2. Detach the policy from all IAM Users:\n```\n aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>\n```\n3. Detach the policy from all IAM Groups:\n```\n aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>\n```\n4. Detach the policy from all IAM Roles:\n```\n aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>\n```",
-          "AuditProcedure": "Perform the following to determine what policies are created:\n\n**From Command Line:**\n\n1. Run the following to get a list of IAM policies:\n```\n aws iam list-policies --only-attached --output text\n```\n2. For each policy returned, run the following command to determine if any policies is allowing full administrative privileges on the account:\n```\n aws iam get-policy-version --policy-arn <policy_arn> --version-id <version>\n```\n3. In output ensure policy should not have any Statement block with `\"Effect\": \"Allow\"` and `Action` set to `\"*\"` and `Resource` set to `\"*\"`",
+          "RemediationProcedure": "**From Console:**  Perform the following to detach the policy that has full administrative privileges:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. In the navigation pane, click Policies and then search for the policy name found in the audit step. 3. Select the policy that needs to be deleted. 4. In the policy action menu, select first `Detach`  5. Select all Users, Groups, Roles that have this policy attached 6. Click `Detach Policy`  7. In the policy action menu, select `Detach`   **From Command Line:**  Perform the following to detach the policy that has full administrative privileges as found in the audit step:  1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.  ```  aws iam list-entities-for-policy --policy-arn <policy_arn> ``` 2. Detach the policy from all IAM Users: ```  aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn> ``` 3. Detach the policy from all IAM Groups: ```  aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn> ``` 4. Detach the policy from all IAM Roles: ```  aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn> ```",
+          "AuditProcedure": "Perform the following to determine what policies are created:  **From Command Line:**  1. Run the following to get a list of IAM policies: ```  aws iam list-policies --only-attached --output text ``` 2. For each policy returned, run the following command to determine if any policies is allowing full administrative privileges on the account: ```  aws iam get-policy-version --policy-arn <policy_arn> --version-id <version> ``` 3. In output ensure policy should not have any Statement block with `\"Effect\": \"Allow\"` and `Action` set to `\"*\"` and `Resource` set to `\"*\"`",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam"
         }
@@ -187,8 +188,8 @@
           "Description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.",
           "RationaleStatement": "By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.",
           "ImpactStatement": "All AWS Support plans include an unlimited number of account and billing support cases, with no long-term contracts. Support billing calculations are performed on a per-account basis for all plans. Enterprise Support plan customers have the option to include multiple enabled accounts in an aggregated monthly billing calculation. Monthly charges for the Business and Enterprise support plans are based on each month's AWS usage charges, subject to a monthly minimum, billed in advance.",
-          "RemediationProcedure": "**From Command Line:**\n\n1. Create an IAM role for managing incidents with AWS:\n - Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:\n```\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"<iam_user>\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n }\n```\n2. Create the IAM role using the above trust policy:\n```\naws iam create-role --role-name <aws_support_iam_role> --assume-role-policy-document file:///tmp/TrustPolicy.json\n```\n3. Attach 'AWSSupportAccess' managed policy to the created IAM role:\n```\naws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name <aws_support_iam_role>\n```",
-          "AuditProcedure": "**From Command Line:**\n\n1. List IAM policies, filter for the 'AWSSupportAccess' managed policy, and note the \"Arn\" element value:\n```\naws iam list-policies --query \"Policies[?PolicyName == 'AWSSupportAccess']\"\n```\n2. Check if the 'AWSSupportAccess' policy is attached to any role:\n\n```\naws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess\n```\n\n3. In Output, Ensure `PolicyRoles` does not return empty. 'Example: Example: PolicyRoles: [ ]'\n\nIf it returns empty refer to the remediation below.",
+          "RemediationProcedure": "**From Command Line:**  1. Create an IAM role for managing incidents with AWS:  - Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json: ```  {  \"Version\": \"2012-10-17\",  \"Statement\": [  {  \"Effect\": \"Allow\",  \"Principal\": {  \"AWS\": \"<iam_user>\"  },  \"Action\": \"sts:AssumeRole\"  }  ]  } ``` 2. Create the IAM role using the above trust policy: ``` aws iam create-role --role-name <aws_support_iam_role> --assume-role-policy-document file:///tmp/TrustPolicy.json ``` 3. Attach 'AWSSupportAccess' managed policy to the created IAM role: ``` aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name <aws_support_iam_role> ```",
+          "AuditProcedure": "**From Command Line:**  1. List IAM policies, filter for the 'AWSSupportAccess' managed policy, and note the \"Arn\" element value: ``` aws iam list-policies --query \"Policies[?PolicyName == 'AWSSupportAccess']\" ``` 2. Check if the 'AWSSupportAccess' policy is attached to any role:  ``` aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess ```  3. In Output, Ensure `PolicyRoles` does not return empty. 'Example: Example: PolicyRoles: [ ]'  If it returns empty refer to the remediation below.",
           "AdditionalInformation": "AWSSupportAccess policy is a global AWS resource. It has same ARN as `arn:aws:iam::aws:policy/AWSSupportAccess` for every account.",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html:https://aws.amazon.com/premiumsupport/pricing/:https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html:https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html:https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html"
         }
@@ -206,10 +207,10 @@
           "Profile": "Level 2",
           "AssessmentStatus": "Manual",
           "Description": "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.",
-          "RationaleStatement": "AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.\n\nAdditionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.",
+          "RationaleStatement": "AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.  Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.",
           "ImpactStatement": "",
-          "RemediationProcedure": "IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create a new instance.\n\nIf the instance has no external dependencies on its current private ip or public addresses are elastic IPs:\n\n1. In AWS IAM create a new role. Assign a permissions policy if needed permissions are already known.\n2. In the AWS console launch a new instance with identical settings to the existing instance, and ensure that the newly created role is selected.\n3. Shutdown both the existing instance and the new instance.\n4. Detach disks from both instances.\n5. Attach the existing instance disks to the new instance.\n6. Boot the new instance and you should have the same machine, but with the associated role.\n\n**Note:** if your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance, destroy the old one and then when launching from the AMI, manually assign the previous private IP address.\n\n**Note: **if your environment has dependencies on a dynamically assigned PUBLIC IP address there is not a way ensure the address is retained and assign an instance role. Dependencies on dynamically assigned public IP addresses are a bad practice and, if possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.",
-          "AuditProcedure": "Where an instance is associated with a Role:\n\nFor instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions:\n\n1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)\n2. Open the EC2 Dashboard and choose \"Instances\"\n3. Click the EC2 instance that performs AWS actions, in the lower pane details find \"IAM Role\"\n4. If the Role is blank, the instance is not assigned to one.\n5. If the Role is filled in, it does not mean the instance might not \\*also\\* have credentials encoded on it for some activities.\n\nWhere an Instance Contains Embedded Credentials:\n\n- On the instance that is known to perform AWS actions, audit all scripts and environment variables to ensure that none of them contain AWS credentials.\n\nWhere an Instance Application Contains Embedded Credentials:\n\n- Applications that run on an instance may also have credentials embedded. This is a bad practice, but even worse if the source code is stored in a public code repository such as github. When an application contains credentials can be determined by eliminating all other sources of credentials and if the application can still access AWS resources - it likely contains embedded credentials. Another method is to examine all source code and configuration files of the application.",
+          "RemediationProcedure": "IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create a new instance.  If the instance has no external dependencies on its current private ip or public addresses are elastic IPs:  1. In AWS IAM create a new role. Assign a permissions policy if needed permissions are already known. 2. In the AWS console launch a new instance with identical settings to the existing instance, and ensure that the newly created role is selected. 3. Shutdown both the existing instance and the new instance. 4. Detach disks from both instances. 5. Attach the existing instance disks to the new instance. 6. Boot the new instance and you should have the same machine, but with the associated role.  **Note:** if your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance, destroy the old one and then when launching from the AMI, manually assign the previous private IP address.  **Note: **if your environment has dependencies on a dynamically assigned PUBLIC IP address there is not a way ensure the address is retained and assign an instance role. Dependencies on dynamically assigned public IP addresses are a bad practice and, if possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.",
+          "AuditProcedure": "Where an instance is associated with a Role:  For instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions:  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Open the EC2 Dashboard and choose \"Instances\" 3. Click the EC2 instance that performs AWS actions, in the lower pane details find \"IAM Role\" 4. If the Role is blank, the instance is not assigned to one. 5. If the Role is filled in, it does not mean the instance might not \\*also\\* have credentials encoded on it for some activities.  Where an Instance Contains Embedded Credentials:  - On the instance that is known to perform AWS actions, audit all scripts and environment variables to ensure that none of them contain AWS credentials.  Where an Instance Application Contains Embedded Credentials:  - Applications that run on an instance may also have credentials embedded. This is a bad practice, but even worse if the source code is stored in a public code repository such as github. When an application contains credentials can be determined by eliminating all other sources of credentials and if the application can still access AWS resources - it likely contains embedded credentials. Another method is to examine all source code and configuration files of the application.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html"
         }
@@ -226,11 +227,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. \nUse IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.",
+          "Description": "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates.  Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.",
           "RationaleStatement": "Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.",
-          "ImpactStatement": "Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc.\nOne has to make configurations at respective services to ensure there is no interruption in application functionality.",
-          "RemediationProcedure": "**From Console:**\n\nRemoving expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\n**From Command Line:**\n\nTo delete Expired Certificate run following command by replacing <CERTIFICATE_NAME> with the name of the certificate to delete:\n\n```\naws iam delete-server-certificate --server-certificate-name <CERTIFICATE_NAME>\n```\n\nWhen the preceding command is successful, it does not return any output.",
-          "AuditProcedure": "**From Console:**\n\nGetting the certificates expiration information via AWS Management Console is not currently supported. \nTo request information about the SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\n**From Command Line:**\n\nRun list-server-certificates command to list all the IAM-stored server certificates:\n\n```\naws iam list-server-certificates\n```\n\nThe command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc):\n\n```\n{\n \"ServerCertificateMetadataList\": [\n {\n \"ServerCertificateId\": \"EHDGFRW7EJFYTE88D\",\n \"ServerCertificateName\": \"MyServerCertificate\",\n \"Expiration\": \"2018-07-10T23:59:59Z\",\n \"Path\": \"/\",\n \"Arn\": \"arn:aws:iam::012345678910:server-certificate/MySSLCertificate\",\n \"UploadDate\": \"2018-06-10T11:56:08Z\"\n }\n ]\n}\n```\n\nVerify the `ServerCertificateName` and `Expiration` parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM. If so, use the AWS API to remove them.\n\nIf this command returns:\n```\n{ { \"ServerCertificateMetadataList\": [] }\n```\nThis means that there are no expired certificates, It DOES NOT mean that no certificates exist.",
+          "ImpactStatement": "Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc. One has to make configurations at respective services to ensure there is no interruption in application functionality.",
+          "RemediationProcedure": "**From Console:**  Removing expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).  **From Command Line:**  To delete Expired Certificate run following command by replacing <CERTIFICATE_NAME> with the name of the certificate to delete:  ``` aws iam delete-server-certificate --server-certificate-name <CERTIFICATE_NAME> ```  When the preceding command is successful, it does not return any output.",
+          "AuditProcedure": "**From Console:**  Getting the certificates expiration information via AWS Management Console is not currently supported.  To request information about the SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).  **From Command Line:**  Run list-server-certificates command to list all the IAM-stored server certificates:  ``` aws iam list-server-certificates ```  The command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc):  ``` {  \"ServerCertificateMetadataList\": [  {  \"ServerCertificateId\": \"EHDGFRW7EJFYTE88D\",  \"ServerCertificateName\": \"MyServerCertificate\",  \"Expiration\": \"2018-07-10T23:59:59Z\",  \"Path\": \"/\",  \"Arn\": \"arn:aws:iam::012345678910:server-certificate/MySSLCertificate\",  \"UploadDate\": \"2018-06-10T11:56:08Z\"  }  ] } ```  Verify the `ServerCertificateName` and `Expiration` parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM. If so, use the AWS API to remove them.  If this command returns: ``` { { \"ServerCertificateMetadataList\": [] } ``` This means that there are no expired certificates, It DOES NOT mean that no certificates exist.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html:https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html"
         }
@@ -250,8 +251,8 @@
           "Description": "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided.",
           "RationaleStatement": "Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to establish security contact information:\n\n**From Console:**\n\n1. Click on your account name at the top right corner of the console.\n2. From the drop-down menu Click `My Account` \n3. Scroll down to the `Alternate Contacts` section\n4. Enter contact information in the `Security` section\n\n**Note:** Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual.",
-          "AuditProcedure": "Perform the following to determine if security contact information is present:\n\n**From Console:**\n\n1. Click on your account name at the top right corner of the console\n2. From the drop-down menu Click `My Account` \n3. Scroll down to the `Alternate Contacts` section\n4. Ensure contact information is specified in the `Security` section",
+          "RemediationProcedure": "Perform the following to establish security contact information:  **From Console:**  1. Click on your account name at the top right corner of the console. 2. From the drop-down menu Click `My Account`  3. Scroll down to the `Alternate Contacts` section 4. Enter contact information in the `Security` section  **Note:** Consider specifying an internal email distribution list to ensure emails are regularly monitored by more than one individual.",
+          "AuditProcedure": "Perform the following to determine if security contact information is present:  **From Console:**  1. Click on your account name at the top right corner of the console 2. From the drop-down menu Click `My Account`  3. Scroll down to the `Alternate Contacts` section 4. Ensure contact information is specified in the `Security` section",
           "AdditionalInformation": "",
           "References": ""
         }
@@ -268,11 +269,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "Enable IAM Access analyzer for IAM policies about all resources in each region.\n\nIAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access.\nAccess Analyzer analyzes only policies that are applied to resources in the same AWS Region.",
+          "Description": "Enable IAM Access analyzer for IAM policies about all resources in each region.  IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region.",
           "RationaleStatement": "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\nPerform the following to enable IAM Access analyzer for IAM policies:\n\n1. Open the IAM console at `https://console.aws.amazon.com/iam/.`\n2. Choose `Access analyzer`.\n3. Choose `Create analyzer`.\n4. On the `Create analyzer` page, confirm that the `Region` displayed is the Region where you want to enable Access Analyzer.\n5. Enter a name for the analyzer. `Optional as it will generate a name for you automatically`.\n6. Add any tags that you want to apply to the analyzer. `Optional`. \n7. Choose `Create Analyzer`.\n8. Repeat these step for each active region\n\n**From Command Line:**\n\nRun the following command:\n```\naws accessanalyzer create-analyzer --analyzer-name <NAME> --type <ACCOUNT|ORGANIZATION>\n```\nRepeat this command above for each active region.\n\n**Note:** The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.",
-          "AuditProcedure": "**From Console:**\n\n1. Open the IAM console at `https://console.aws.amazon.com/iam/`\n2. Choose `Access analyzer`\n3. Click 'Analyzers'\n4. Ensure that at least one analyzer is present\n5. Ensure that the `STATUS` is set to `Active`\n6. Repeat these step for each active region\n\n**From Command Line:**\n\n1. Run the following command:\n```\naws accessanalyzer list-analyzers | grep status\n```\n2. Ensure that at least one Analyzer the `status` is set to `ACTIVE`\n\n3. Repeat the steps above for each active region.\n\nIf an Access analyzer is not listed for each region or the status is not set to active refer to the remediation procedure below.",
+          "RemediationProcedure": "**From Console:**  Perform the following to enable IAM Access analyzer for IAM policies:  1. Open the IAM console at `https://console.aws.amazon.com/iam/.` 2. Choose `Access analyzer`. 3. Choose `Create analyzer`. 4. On the `Create analyzer` page, confirm that the `Region` displayed is the Region where you want to enable Access Analyzer. 5. Enter a name for the analyzer. `Optional as it will generate a name for you automatically`. 6. Add any tags that you want to apply to the analyzer. `Optional`.  7. Choose `Create Analyzer`. 8. Repeat these step for each active region  **From Command Line:**  Run the following command: ``` aws accessanalyzer create-analyzer --analyzer-name <NAME> --type <ACCOUNT|ORGANIZATION> ``` Repeat this command above for each active region.  **Note:** The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.",
+          "AuditProcedure": "**From Console:**  1. Open the IAM console at `https://console.aws.amazon.com/iam/` 2. Choose `Access analyzer` 3. Click 'Analyzers' 4. Ensure that at least one analyzer is present 5. Ensure that the `STATUS` is set to `Active` 6. Repeat these step for each active region  **From Command Line:**  1. Run the following command: ``` aws accessanalyzer list-analyzers | grep status ``` 2. Ensure that at least one Analyzer the `status` is set to `ACTIVE`  3. Repeat the steps above for each active region.  If an Access analyzer is not listed for each region or the status is not set to active refer to the remediation procedure below.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/get-analyzer.html:https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/create-analyzer.html"
         }
@@ -293,7 +294,7 @@
           "RationaleStatement": "Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.",
           "ImpactStatement": "",
           "RemediationProcedure": "The remediation procedure will vary based on the individual organization's implementation of identity federation and/or AWS Organizations with the acceptance criteria that no non-service IAM users, and non-root accounts, are present outside the account providing centralized IAM user management.",
-          "AuditProcedure": "For multi-account AWS environments with an external identity provider... \n\n1. Determine the master account for identity federation or IAM user management\n2. Login to that account through the AWS Management Console\n3. Click `Services` \n4. Click `IAM` \n5. Click `Identity providers`\n6. Verify the configuration\n\nThen..., determine all accounts that should not have local users present. For each account...\n\n1. Determine all accounts that should not have local users present\n2. Log into the AWS Management Console\n3. Switch role into each identified account\n4. Click `Services` \n5. Click `IAM` \n6. Click `Users`\n7. Confirm that no IAM users representing individuals are present\n\nFor multi-account AWS environments implementing AWS Organizations without an external identity provider... \n\n1. Determine all accounts that should not have local users present\n2. Log into the AWS Management Console\n3. Switch role into each identified account\n4. Click `Services` \n5. Click `IAM` \n6. Click `Users`\n7. Confirm that no IAM users representing individuals are present",
+          "AuditProcedure": "For multi-account AWS environments with an external identity provider...   1. Determine the master account for identity federation or IAM user management 2. Login to that account through the AWS Management Console 3. Click `Services`  4. Click `IAM`  5. Click `Identity providers` 6. Verify the configuration  Then..., determine all accounts that should not have local users present. For each account...  1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`  5. Click `IAM`  6. Click `Users` 7. Confirm that no IAM users representing individuals are present  For multi-account AWS environments implementing AWS Organizations without an external identity provider...   1. Determine all accounts that should not have local users present 2. Log into the AWS Management Console 3. Switch role into each identified account 4. Click `Services`  5. Click `IAM`  6. Click `Users` 7. Confirm that no IAM users representing individuals are present",
           "AdditionalInformation": "",
           "References": ""
         }
@@ -311,8 +312,8 @@
           "Description": "AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment a user has sudo permissions, and can access the internet. So it is feasible to install file transfer software (for example) and move data from CloudShell to external internet servers.",
           "RationaleStatement": "Access to this policy should be restricted as it presents a potential channel for data exfiltration by malicious cloud admins that are given full permissions to the service. AWS documentation describes how to create a more restrictive IAM policy which denies file transfer permissions.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console**\n\n1. Open the IAM console at https://console.aws.amazon.com/iam/\n\n2. In the left pane, select Policies 3. Search for and select AWSCloudShellFullAccess\n\n4. On the Entities attached tab, for each item, check the box and select Detach",
-          "AuditProcedure": "**From Console**\n1. Open the IAM console at https://console.aws.amazon.com/iam/\n 2. In the left pane, select Policies\n 3. Search for and select AWSCloudShellFullAccess\n 4. On the Entities attached tab, ensure that there are no entities using this policy\n\n **From Command Line**\n 1. List IAM policies, filter for the 'AWSCloudShellFullAccess' managed policy, and note the \"\"Arn\"\" element value:\n ```\n aws iam list-policies --query \"\"Policies[?PolicyName == 'AWSCloudShellFullAccess']\"\"\n ```\n  2. Check if the 'AWSCloudShellFullAccess' policy is attached to any role:\n  ```\n aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess\n ```\n 3. In Output, Ensure PolicyRoles returns empty. 'Example: Example: PolicyRoles: [ ]'\n If it does not return empty refer to the remediation below.\n Note: Keep in mind that other policies may grant access.",
+          "RemediationProcedure": "**From Console**  1. Open the IAM console at https://console.aws.amazon.com/iam/  2. In the left pane, select Policies 3. Search for and select AWSCloudShellFullAccess  4. On the Entities attached tab, for each item, check the box and select Detach",
+          "AuditProcedure": "**From Console** 1. Open the IAM console at https://console.aws.amazon.com/iam/  2. In the left pane, select Policies  3. Search for and select AWSCloudShellFullAccess  4. On the Entities attached tab, ensure that there are no entities using this policy   **From Command Line**  1. List IAM policies, filter for the 'AWSCloudShellFullAccess' managed policy, and note the \"\"Arn\"\" element value:  ```  aws iam list-policies --query \"\"Policies[?PolicyName == 'AWSCloudShellFullAccess']\"\"  ```   2. Check if the 'AWSCloudShellFullAccess' policy is attached to any role:   ```  aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess  ```  3. In Output, Ensure PolicyRoles returns empty. 'Example: Example: PolicyRoles: [ ]'  If it does not return empty refer to the remediation below.  Note: Keep in mind that other policies may grant access.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html"
         }
@@ -332,8 +333,8 @@
           "Description": "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.",
           "RationaleStatement": "When creating a new AWS account, a default super user is automatically created. This account is referred to as the 'root user' or 'root' account. It is recommended that the use of this account be limited and highly controlled. During events in which the 'root' password is no longer accessible or the MFA token associated with 'root' is lost/destroyed it is possible, through authentication using secret questions and associated answers, to recover 'root' user login access.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to the AWS Account as the 'root' user\n2. Click on the _<Root\\_Account\\_Name>_ from the top right of the console\n3. From the drop-down menu Click _My Account_\n4. Scroll down to the `Configure Security Questions` section\n5. Click on `Edit` \n6. Click on each `Question` \n - From the drop-down select an appropriate question\n - Click on the `Answer` section\n - Enter an appropriate answer \n - Follow process for all 3 questions\n7. Click `Update` when complete\n8. Save Questions and Answers and place in a secure physical location",
-          "AuditProcedure": "**From Console:**\n\n1. Login to the AWS account as the 'root' user\n2. On the top right you will see the _<Root\\_Account\\_Name>_\n3. Click on the _<Root\\_Account\\_Name>_\n4. From the drop-down menu Click `My Account` \n5. In the `Configure Security Challenge Questions` section on the `Personal Information` page, configure three security challenge questions.\n6. Click `Save questions` .",
+          "RemediationProcedure": "**From Console:**  1. Login to the AWS Account as the 'root' user 2. Click on the _<Root\\_Account\\_Name>_ from the top right of the console 3. From the drop-down menu Click _My Account_ 4. Scroll down to the `Configure Security Questions` section 5. Click on `Edit`  6. Click on each `Question`   - From the drop-down select an appropriate question  - Click on the `Answer` section  - Enter an appropriate answer   - Follow process for all 3 questions 7. Click `Update` when complete 8. Save Questions and Answers and place in a secure physical location",
+          "AuditProcedure": "**From Console:**  1. Login to the AWS account as the 'root' user 2. On the top right you will see the _<Root\\_Account\\_Name>_ 3. Click on the _<Root\\_Account\\_Name>_ 4. From the drop-down menu Click `My Account`  5. In the `Configure Security Challenge Questions` section on the `Personal Information` page, configure three security challenge questions. 6. Click `Save questions` .",
           "AdditionalInformation": "",
           "References": ""
         }
@@ -353,8 +354,8 @@
           "Description": "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed.",
           "RationaleStatement": "Removing access keys associated with the 'root' user account limits vectors by which the account can be compromised. Additionally, removing the 'root' access keys encourages the creation and use of role based accounts that are least privileged.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to delete or disable active 'root' user access keys\n\n**From Console:**\n\n1. Sign in to the AWS Management Console as 'root' and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n2. Click on _<Root\\_Account\\_Name>_ at the top right and select `My Security Credentials` from the drop down list\n3. On the pop out screen Click on `Continue to Security Credentials` \n4. Click on `Access Keys` _(Access Key ID and Secret Access Key)_\n5. Under the `Status` column if there are any Keys which are Active\n - Click on `Make Inactive` - (Temporarily disable Key - may be needed again)\n - Click `Delete` - (Deleted keys cannot be recovered)",
-          "AuditProcedure": "Perform the following to determine if the 'root' user account has access keys:\n\n**From Console:**\n\n1. Login to the AWS Management Console\n2. Click `Services` \n3. Click `IAM` \n4. Click on `Credential Report` \n5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file\n6. For the `<root_account>` user, ensure the `access_key_1_active` and `access_key_2_active` fields are set to `FALSE` .\n\n**From Command Line:**\n\nRun the following command:\n```\n aws iam get-account-summary | grep \"AccountAccessKeysPresent\" \n```\nIf no 'root' access keys exist the output will show \"AccountAccessKeysPresent\": 0,. \n\nIf the output shows a \"1\" than 'root' keys exist, refer to the remediation procedure below.",
+          "RemediationProcedure": "Perform the following to delete or disable active 'root' user access keys  **From Console:**  1. Sign in to the AWS Management Console as 'root' and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 2. Click on _<Root\\_Account\\_Name>_ at the top right and select `My Security Credentials` from the drop down list 3. On the pop out screen Click on `Continue to Security Credentials`  4. Click on `Access Keys` _(Access Key ID and Secret Access Key)_ 5. Under the `Status` column if there are any Keys which are Active  - Click on `Make Inactive` - (Temporarily disable Key - may be needed again)  - Click `Delete` - (Deleted keys cannot be recovered)",
+          "AuditProcedure": "Perform the following to determine if the 'root' user account has access keys:  **From Console:**  1. Login to the AWS Management Console 2. Click `Services`  3. Click `IAM`  4. Click on `Credential Report`  5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `<root_account>` user, ensure the `access_key_1_active` and `access_key_2_active` fields are set to `FALSE` .  **From Command Line:**  Run the following command: ```  aws iam get-account-summary | grep \"AccountAccessKeysPresent\"  ``` If no 'root' access keys exist the output will show \"AccountAccessKeysPresent\": 0,.   If the output shows a \"1\" than 'root' keys exist, refer to the remediation procedure below.",
           "AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables 'root' access only through access-keys (CLI, API methods) for us-gov cloud region.",
           "References": "http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html:http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html:http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html:https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/"
         }
@@ -371,11 +372,11 @@
           "Section": "1. Identity and Access Management",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.\n\n**Note:** When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. (\"non-personal virtual MFA\") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.",
+          "Description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.  **Note:** When virtual MFA is used for 'root' accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. (\"non-personal virtual MFA\") This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company.",
           "RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to establish MFA for the 'root' user account:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\n\n Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.\n\n2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account.\n3. Choose `Activate MFA` \n4. In the wizard, choose `A virtual MFA` device and then choose `Next Step` .\n5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.\n6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](http://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications).) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).\n7. Determine whether the MFA app supports QR codes, and then do one of the following:\n\n - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.\n - In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.\n\nWhen you are finished, the virtual MFA device starts generating one-time passwords.\n\nIn the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Assign Virtual MFA.",
-          "AuditProcedure": "Perform the following to determine if the 'root' user account has MFA setup:\n\n**From Console:**\n\n1. Login to the AWS Management Console\n2. Click `Services` \n3. Click `IAM` \n4. Click on `Credential Report` \n5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file\n6. For the `<root_account>` user, ensure the `mfa_active` field is set to `TRUE` .\n\n**From Command Line:**\n\n1. Run the following command:\n```\n aws iam get-account-summary | grep \"AccountMFAEnabled\"\n```\n2. Ensure the AccountMFAEnabled property is set to 1",
+          "RemediationProcedure": "Perform the following to establish MFA for the 'root' user account:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).   Note: to manage MFA devices for the 'root' AWS account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.  2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`  4. In the wizard, choose `A virtual MFA` device and then choose `Next Step` . 5. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes. 6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see [Virtual MFA Applications](http://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications).) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). 7. Determine whether the MFA app supports QR codes, and then do one of the following:   - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.  - In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.  When you are finished, the virtual MFA device starts generating one-time passwords.  In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Assign Virtual MFA.",
+          "AuditProcedure": "Perform the following to determine if the 'root' user account has MFA setup:  **From Console:**  1. Login to the AWS Management Console 2. Click `Services`  3. Click `IAM`  4. Click on `Credential Report`  5. This will download a `.csv` file which contains credential usage for all IAM users within an AWS Account - open this file 6. For the `<root_account>` user, ensure the `mfa_active` field is set to `TRUE` .  **From Command Line:**  1. Run the following command: ```  aws iam get-account-summary | grep \"AccountMFAEnabled\" ``` 2. Ensure the AccountMFAEnabled property is set to 1",
           "AdditionalInformation": "IAM User account \"root\" for us-gov cloud regions does not have console access. This recommendation is not applicable for us-gov cloud regions.",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root"
         }
@@ -393,10 +394,10 @@
           "Profile": "Level 2",
           "AssessmentStatus": "Automated",
           "Description": "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the 'root' user account be protected with a hardware MFA.",
-          "RationaleStatement": "A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.\n\n**Note**: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.",
+          "RationaleStatement": "A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer the attack surface introduced by the mobile smartphone on which a virtual MFA resides.  **Note**: Using hardware MFA for many, many AWS accounts may create a logistical device management issue. If this is the case, consider implementing this Level 2 recommendation selectively to the highest security AWS accounts and the Level 1 recommendation applied to the remaining accounts.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to establish a hardware MFA for the 'root' user account:\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).\nNote: to manage MFA devices for the AWS 'root' user account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials.\n2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account.\n3. Choose `Activate MFA` \n4. In the wizard, choose `A hardware MFA` device and then choose `Next Step` .\n5. In the `Serial Number` box, enter the serial number that is found on the back of the MFA device.\n6. In the `Authentication Code 1` box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number.\n7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the `Authentication Code 2` box. You might need to press the button on the front of the device again to display the second number.\n8. Choose `Next Step` . The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.\n\nRemediation for this recommendation is not available through AWS CLI.",
-          "AuditProcedure": "Perform the following to determine if the 'root' user account has a hardware MFA setup:\n\n1. Run the following command to determine if the 'root' account has MFA setup:\n```\n aws iam get-account-summary | grep \"AccountMFAEnabled\"\n```\n\nThe `AccountMFAEnabled` property is set to `1` will ensure that the 'root' user account has MFA (Virtual or Hardware) Enabled.\nIf `AccountMFAEnabled` property is set to `0` the account is not compliant with this recommendation.\n\n2. If `AccountMFAEnabled` property is set to `1`, determine 'root' account has Hardware MFA enabled.\nRun the following command to list all virtual MFA devices:\n```\n aws iam list-virtual-mfa-devices \n```\nIf the output contains one MFA with the following Serial Number, it means the MFA is virtual, not hardware and the account is not compliant with this recommendation:\n\n `\"SerialNumber\": \"arn:aws:iam::_<aws_account_number>_:mfa/root-account-mfa-device\"`",
+          "RemediationProcedure": "Perform the following to establish a hardware MFA for the 'root' user account:  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Note: to manage MFA devices for the AWS 'root' user account, you must use your 'root' account credentials to sign in to AWS. You cannot manage MFA devices for the 'root' account using other credentials. 2. Choose `Dashboard` , and under `Security Status` , expand `Activate MFA` on your root account. 3. Choose `Activate MFA`  4. In the wizard, choose `A hardware MFA` device and then choose `Next Step` . 5. In the `Serial Number` box, enter the serial number that is found on the back of the MFA device. 6. In the `Authentication Code 1` box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number. 7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the `Authentication Code 2` box. You might need to press the button on the front of the device again to display the second number. 8. Choose `Next Step` . The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you must type a code from the hardware MFA device.  Remediation for this recommendation is not available through AWS CLI.",
+          "AuditProcedure": "Perform the following to determine if the 'root' user account has a hardware MFA setup:  1. Run the following command to determine if the 'root' account has MFA setup: ```  aws iam get-account-summary | grep \"AccountMFAEnabled\" ```  The `AccountMFAEnabled` property is set to `1` will ensure that the 'root' user account has MFA (Virtual or Hardware) Enabled. If `AccountMFAEnabled` property is set to `0` the account is not compliant with this recommendation.  2. If `AccountMFAEnabled` property is set to `1`, determine 'root' account has Hardware MFA enabled. Run the following command to list all virtual MFA devices: ```  aws iam list-virtual-mfa-devices  ``` If the output contains one MFA with the following Serial Number, it means the MFA is virtual, not hardware and the account is not compliant with this recommendation:   `\"SerialNumber\": \"arn:aws:iam::_<aws_account_number>_:mfa/root-account-mfa-device\"`",
           "AdditionalInformation": "IAM User account 'root' for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions.",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html#enable-hw-mfa-for-root"
         }
@@ -416,9 +417,9 @@
           "Description": "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.",
           "RationaleStatement": "The 'root user' has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.",
           "ImpactStatement": "",
-          "RemediationProcedure": "If you find that the 'root' user account is being used for daily activity to include administrative tasks that do not require the 'root' user:\n\n1. Change the 'root' user password.\n2. Deactivate or delete any access keys associate with the 'root' user.\n\n**Remember, anyone who has 'root' user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.",
-          "AuditProcedure": "**From Console:**\n\n1. Login to the AWS Management Console at `https://console.aws.amazon.com/iam/`\n2. In the left pane, click `Credential Report`\n3. Click on `Download Report`\n4. Open of Save the file locally\n5. Locate the `<root account>` under the user column\n6. Review `password_last_used, access_key_1_last_used_date, access_key_2_last_used_date` to determine when the 'root user' was last used.\n\n**From Command Line:**\n\nRun the following CLI commands to provide a credential report for determining the last time the 'root user' was used:\n```\naws iam generate-credential-report\n```\n```\naws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,5,11,16 | grep -B1 '<root_account>'\n```\n\nReview `password_last_used`, `access_key_1_last_used_date`, `access_key_2_last_used_date` to determine when the _root user_ was last used.\n\n**Note:** There are a few conditions under which the use of the 'root' user account is required. Please see the reference links for all of the tasks that require use of the 'root' user.",
-          "AdditionalInformation": "The 'root' user for us-gov cloud regions is not enabled by default. However, on request to AWS support, they can enable the 'root' user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the 'root' user for us-gov cloud regions is enabled, this recommendation is applicable.\n\nMonitoring usage of the 'root' user can be accomplished by implementing recommendation 3.3 Ensure a log metric filter and alarm exist for usage of the 'root' user.",
+          "RemediationProcedure": "If you find that the 'root' user account is being used for daily activity to include administrative tasks that do not require the 'root' user:  1. Change the 'root' user password. 2. Deactivate or delete any access keys associate with the 'root' user.  **Remember, anyone who has 'root' user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.",
+          "AuditProcedure": "**From Console:**  1. Login to the AWS Management Console at `https://console.aws.amazon.com/iam/` 2. In the left pane, click `Credential Report` 3. Click on `Download Report` 4. Open of Save the file locally 5. Locate the `<root account>` under the user column 6. Review `password_last_used, access_key_1_last_used_date, access_key_2_last_used_date` to determine when the 'root user' was last used.  **From Command Line:**  Run the following CLI commands to provide a credential report for determining the last time the 'root user' was used: ``` aws iam generate-credential-report ``` ``` aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,5,11,16 | grep -B1 '<root_account>' ```  Review `password_last_used`, `access_key_1_last_used_date`, `access_key_2_last_used_date` to determine when the _root user_ was last used.  **Note:** There are a few conditions under which the use of the 'root' user account is required. Please see the reference links for all of the tasks that require use of the 'root' user.",
+          "AdditionalInformation": "The 'root' user for us-gov cloud regions is not enabled by default. However, on request to AWS support, they can enable the 'root' user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the 'root' user for us-gov cloud regions is enabled, this recommendation is applicable.  Monitoring usage of the 'root' user can be accomplished by implementing recommendation 3.3 Ensure a log metric filter and alarm exist for usage of the 'root' user.",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html:https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html"
         }
       ]
@@ -437,8 +438,8 @@
           "Description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.",
           "RationaleStatement": "Setting a password complexity policy increases account resiliency against brute force login attempts.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to set the password policy as prescribed:\n\n**From Console:**\n\n1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)\n2. Go to IAM Service on the AWS Console\n3. Click on Account Settings on the Left Pane\n4. Set \"Minimum password length\" to `14` or greater.\n5. Click \"Apply password policy\"\n\n**From Command Line:**\n```\n aws iam update-account-password-policy --minimum-password-length 14\n```\nNote: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.",
-          "AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:\n\n**From Console:**\n\n1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)\n2. Go to IAM Service on the AWS Console\n3. Click on Account Settings on the Left Pane\n4. Ensure \"Minimum password length\" is set to 14 or greater.\n\n**From Command Line:**\n```\naws iam get-account-password-policy\n```\nEnsure the output of the above command includes \"MinimumPasswordLength\": 14 (or higher)",
+          "RemediationProcedure": "Perform the following to set the password policy as prescribed:  **From Console:**  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Set \"Minimum password length\" to `14` or greater. 5. Click \"Apply password policy\"  **From Command Line:** ```  aws iam update-account-password-policy --minimum-password-length 14 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.",
+          "AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:  **From Console:**  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Minimum password length\" is set to 14 or greater.  **From Command Line:** ``` aws iam get-account-password-policy ``` Ensure the output of the above command includes \"MinimumPasswordLength\": 14 (or higher)",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy"
         }
@@ -458,8 +459,8 @@
           "Description": "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.",
           "RationaleStatement": "Preventing password reuse increases account resiliency against brute force login attempts.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to set the password policy as prescribed:\n\n**From Console:**\n\n1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)\n2. Go to IAM Service on the AWS Console\n3. Click on Account Settings on the Left Pane\n4. Check \"Prevent password reuse\"\n5. Set \"Number of passwords to remember\" is set to `24` \n\n**From Command Line:**\n```\n aws iam update-account-password-policy --password-reuse-prevention 24\n```\nNote: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.",
-          "AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:\n\n**From Console:**\n\n1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)\n2. Go to IAM Service on the AWS Console\n3. Click on Account Settings on the Left Pane\n4. Ensure \"Prevent password reuse\" is checked\n5. Ensure \"Number of passwords to remember\" is set to 24\n\n**From Command Line:**\n```\naws iam get-account-password-policy \n```\nEnsure the output of the above command includes \"PasswordReusePrevention\": 24",
+          "RemediationProcedure": "Perform the following to set the password policy as prescribed:  **From Console:**  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Check \"Prevent password reuse\" 5. Set \"Number of passwords to remember\" is set to `24`   **From Command Line:** ```  aws iam update-account-password-policy --password-reuse-prevention 24 ``` Note: All commands starting with \"aws iam update-account-password-policy\" can be combined into a single command.",
+          "AuditProcedure": "Perform the following to ensure the password policy is configured as prescribed:  **From Console:**  1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Go to IAM Service on the AWS Console 3. Click on Account Settings on the Left Pane 4. Ensure \"Prevent password reuse\" is checked 5. Ensure \"Number of passwords to remember\" is set to 24  **From Command Line:** ``` aws iam get-account-password-policy  ``` Ensure the output of the above command includes \"PasswordReusePrevention\": 24",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html:https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy"
         }
@@ -479,8 +480,8 @@
           "Description": "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.",
           "RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.",
           "ImpactStatement": "Amazon S3 buckets with default bucket encryption using SSE-KMS cannot be used as destination buckets for Amazon S3 server access logging. Only SSE-S3 default encryption is supported for server access log destination buckets.",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Select a Bucket.\n3. Click on 'Properties'.\n4. Click edit on `Default Encryption`.\n5. Select either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`.\n6. Click `Save`\n7. Repeat for all the buckets in your AWS account lacking encryption.\n\n**From Command Line:**\n\nRun either \n```\naws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}'\n```\n or \n```\naws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}'\n```\n\n**Note:** the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.",
-          "AuditProcedure": "**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Select a Bucket.\n3. Click on 'Properties'.\n4. Verify that `Default Encryption` is enabled, and displays either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`.\n5. Repeat for all the buckets in your AWS account.\n\n**From Command Line:**\n\n1. Run command to list buckets\n```\naws s3 ls\n```\n2. For each bucket, run \n```\naws s3api get-bucket-encryption --bucket <bucket name>\n```\n3. Verify that either \n```\n\"SSEAlgorithm\": \"AES256\"\n```\n or \n```\n\"SSEAlgorithm\": \"aws:kms\"```\n is displayed.",
+          "RemediationProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Select a Bucket. 3. Click on 'Properties'. 4. Click edit on `Default Encryption`. 5. Select either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 6. Click `Save` 7. Repeat for all the buckets in your AWS account lacking encryption.  **From Command Line:**  Run either  ``` aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}' ```  or  ``` aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}' ```  **Note:** the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.",
+          "AuditProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Select a Bucket. 3. Click on 'Properties'. 4. Verify that `Default Encryption` is enabled, and displays either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 5. Repeat for all the buckets in your AWS account.  **From Command Line:**  1. Run command to list buckets ``` aws s3 ls ``` 2. For each bucket, run  ``` aws s3api get-bucket-encryption --bucket <bucket name> ``` 3. Verify that either  ``` \"SSEAlgorithm\": \"AES256\" ```  or  ``` \"SSEAlgorithm\": \"aws:kms\"```  is displayed.",
           "AdditionalInformation": "S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does **not** encrypt objects previously stored within the bucket.",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html:https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources"
         }
@@ -500,8 +501,8 @@
           "Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.",
           "RationaleStatement": "By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on 'Permissions'.\n4. Click 'Bucket Policy'\n5. Add this to the existing policy filling in the required information\n```\n{\n \"Sid\": <optional>\",\n \"Effect\": \"Deny\",\n \"Principal\": \"*\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n }\n```\n6. Save\n7. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n**From Console** \n\nusing AWS Policy Generator:\n\n1. Repeat steps 1-4 above.\n2. Click on `Policy Generator` at the bottom of the Bucket Policy Editor\n3. Select Policy Type\n`S3 Bucket Policy`\n4. Add Statements\n- `Effect` = Deny\n- `Principal` = *\n- `AWS Service` = Amazon S3\n- `Actions` = *\n- `Amazon Resource Name` = <ARN of the S3 Bucket>\n5. Generate Policy\n6. Copy the text and add it to the Bucket Policy.\n\n**From Command Line:**\n\n1. Export the bucket policy to a json file.\n```\naws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output text > policy.json\n```\n\n2. Modify the policy.json file by adding in this statement:\n```\n{\n \"Sid\": <optional>\",\n \"Effect\": \"Deny\",\n \"Principal\": \"*\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n }\n```\n3. Apply this modified policy back to the S3 bucket:\n```\naws s3api put-bucket-policy --bucket <bucket_name> --policy file://policy.json\n```",
-          "AuditProcedure": "To allow access to HTTPS you can use a condition that checks for the key `\"aws:SecureTransport: true\"`. This means that the request is sent through HTTPS but that HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key \"aws:SecureTransport\": \"false\".\n\n**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on 'Permissions', then Click on `Bucket Policy`.\n4. Ensure that a policy is listed that matches:\n```\n'{\n \"Sid\": <optional>,\n \"Effect\": \"Deny\",\n \"Principal\": \"*\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }'\n```\n`<optional>` and `<bucket_name>` will be specific to your account\n\n5. Repeat for all the buckets in your AWS account.\n\n**From Command Line:**\n\n1. List all of the S3 Buckets \n```\naws s3 ls\n```\n2. Using the list of buckets run this command on each of them:\n```\naws s3api get-bucket-policy --bucket <bucket_name> | grep aws:SecureTransport\n```\n3. Confirm that `aws:SecureTransport` is set to false `aws:SecureTransport:false`\n4. Confirm that the policy line has Effect set to Deny 'Effect:Deny'",
+          "RemediationProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions'. 4. Click 'Bucket Policy' 5. Add this to the existing policy filling in the required information ``` {  \"Sid\": <optional>\",  \"Effect\": \"Deny\",  \"Principal\": \"*\",  \"Action\": \"s3:*\",  \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",  \"Condition\": {  \"Bool\": {  \"aws:SecureTransport\": \"false\"  }  }  } ``` 6. Save 7. Repeat for all the buckets in your AWS account that contain sensitive data.  **From Console**   using AWS Policy Generator:  1. Repeat steps 1-4 above. 2. Click on `Policy Generator` at the bottom of the Bucket Policy Editor 3. Select Policy Type `S3 Bucket Policy` 4. Add Statements - `Effect` = Deny - `Principal` = * - `AWS Service` = Amazon S3 - `Actions` = * - `Amazon Resource Name` = <ARN of the S3 Bucket> 5. Generate Policy 6. Copy the text and add it to the Bucket Policy.  **From Command Line:**  1. Export the bucket policy to a json file. ``` aws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output text > policy.json ```  2. Modify the policy.json file by adding in this statement: ``` {  \"Sid\": <optional>\",  \"Effect\": \"Deny\",  \"Principal\": \"*\",  \"Action\": \"s3:*\",  \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",  \"Condition\": {  \"Bool\": {  \"aws:SecureTransport\": \"false\"  }  }  } ``` 3. Apply this modified policy back to the S3 bucket: ``` aws s3api put-bucket-policy --bucket <bucket_name> --policy file://policy.json ```",
+          "AuditProcedure": "To allow access to HTTPS you can use a condition that checks for the key `\"aws:SecureTransport: true\"`. This means that the request is sent through HTTPS but that HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key \"aws:SecureTransport\": \"false\".  **From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 2. Select the Check box next to the Bucket. 3. Click on 'Permissions', then Click on `Bucket Policy`. 4. Ensure that a policy is listed that matches: ``` '{  \"Sid\": <optional>,  \"Effect\": \"Deny\",  \"Principal\": \"*\",  \"Action\": \"s3:*\",  \"Resource\": \"arn:aws:s3:::<bucket_name>/*\",  \"Condition\": {  \"Bool\": {  \"aws:SecureTransport\": \"false\"  }' ``` `<optional>` and `<bucket_name>` will be specific to your account  5. Repeat for all the buckets in your AWS account.  **From Command Line:**  1. List all of the S3 Buckets  ``` aws s3 ls ``` 2. Using the list of buckets run this command on each of them: ``` aws s3api get-bucket-policy --bucket <bucket_name> | grep aws:SecureTransport ``` 3. Confirm that `aws:SecureTransport` is set to false `aws:SecureTransport:false` 4. Confirm that the policy line has Effect set to Deny 'Effect:Deny'",
           "AdditionalInformation": "",
           "References": "https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/:https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html"
         }
@@ -521,8 +522,8 @@
           "Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.",
           "RationaleStatement": "Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the steps below to enable MFA delete on an S3 bucket.\n\nNote:\n-You cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API.\n-You must use your 'root' account to enable MFA Delete on S3 buckets.\n\n**From Command line:**\n\n1. Run the s3api put-bucket-versioning command\n\n```\naws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode”\n```",
-          "AuditProcedure": "Perform the steps below to confirm MFA delete is configured on an S3 Bucket\n\n**From Console:**\n\n1. Login to the S3 console at `https://console.aws.amazon.com/s3/`\n\n2. Click the `Check` box next to the Bucket name you want to confirm\n\n3. In the window under `Properties`\n\n4. Confirm that Versioning is `Enabled`\n\n5. Confirm that MFA Delete is `Enabled`\n\n**From Command Line:**\n\n1. Run the `get-bucket-versioning`\n```\naws s3api get-bucket-versioning --bucket my-bucket\n```\n\nOutput example:\n```\n<VersioningConfiguration xmlns=\"http://s3.amazonaws.com/doc/2006-03-01/\"> \n <Status>Enabled</Status>\n <MfaDelete>Enabled</MfaDelete> \n</VersioningConfiguration>\n```\n\nIf the Console or the CLI output does not show Versioning and MFA Delete `enabled` refer to the remediation below.",
+          "RemediationProcedure": "Perform the steps below to enable MFA delete on an S3 bucket.  Note: -You cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API. -You must use your 'root' account to enable MFA Delete on S3 buckets.  **From Command line:**  1. Run the s3api put-bucket-versioning command  ``` aws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode” ```",
+          "AuditProcedure": "Perform the steps below to confirm MFA delete is configured on an S3 Bucket  **From Console:**  1. Login to the S3 console at `https://console.aws.amazon.com/s3/`  2. Click the `Check` box next to the Bucket name you want to confirm  3. In the window under `Properties`  4. Confirm that Versioning is `Enabled`  5. Confirm that MFA Delete is `Enabled`  **From Command Line:**  1. Run the `get-bucket-versioning` ``` aws s3api get-bucket-versioning --bucket my-bucket ```  Output example: ``` <VersioningConfiguration xmlns=\"http://s3.amazonaws.com/doc/2006-03-01/\">   <Status>Enabled</Status>  <MfaDelete>Enabled</MfaDelete>  </VersioningConfiguration> ```  If the Console or the CLI output does not show Versioning and MFA Delete `enabled` refer to the remediation below.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete:https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html:https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html"
         }
@@ -540,10 +541,10 @@
           "Profile": "Level 2",
           "AssessmentStatus": "Manual",
           "Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.",
-          "RationaleStatement": "Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.\n\nAmazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.",
+          "RationaleStatement": "Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.  Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.",
           "ImpactStatement": "There is a cost associated with using Amazon Macie. There is also typically a cost associated with 3rd Party tools that perform similar processes and protection.",
-          "RemediationProcedure": "Perform the steps below to enable and configure Amazon Macie\n\n**From Console:**\n\n1. Log on to the Macie console at `https://console.aws.amazon.com/macie/`\n\n2. Click `Get started`.\n\n3. Click `Enable Macie`.\n\nSetup a repository for sensitive data discovery results\n\n1. In the Left pane, under Settings, click `Discovery results`.\n\n2. Make sure `Create bucket` is selected.\n\n3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.\n\n4. Click on `Advanced`.\n\n5. Block all public access, make sure `Yes` is selected.\n\n6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.\n\n7. Click on `Save`\n\nCreate a job to discover sensitive data\n\n1. In the left pane, click `S3 buckets`. Macie displays a list of all the S3 buckets for your account.\n\n2. Select the `check box` for each bucket that you want Macie to analyze as part of the job\n\n3. Click `Create job`.\n\n3. Click `Quick create`.\n\n4. For the Name and description step, enter a name and, optionally, a description of the job.\n\n5. Then click `Next`.\n\n6. For the Review and create step, click `Submit`.\n\nReview your findings\n\n1. In the left pane, click `Findings`.\n\n2. To view the details of a specific finding, choose any field other than the check box for the finding.\n\nIf you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.",
-          "AuditProcedure": "Perform the following steps to determine if Macie is running:\n\n**From Console:**\n\n 1. Login to the Macie console at https://console.aws.amazon.com/macie/\n\n 2. In the left hand pane click on By job under findings.\n\n 3. Confirm that you have a Job setup for your S3 Buckets\n\nWhen you log into the Macie console if you aren't taken to the summary page and you don't have a job setup and running then refer to the remediation procedure below.\n\nIf you are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation.",
+          "RemediationProcedure": "Perform the steps below to enable and configure Amazon Macie  **From Console:**  1. Log on to the Macie console at `https://console.aws.amazon.com/macie/`  2. Click `Get started`.  3. Click `Enable Macie`.  Setup a repository for sensitive data discovery results  1. In the Left pane, under Settings, click `Discovery results`.  2. Make sure `Create bucket` is selected.  3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.  4. Click on `Advanced`.  5. Block all public access, make sure `Yes` is selected.  6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.  7. Click on `Save`  Create a job to discover sensitive data  1. In the left pane, click `S3 buckets`. Macie displays a list of all the S3 buckets for your account.  2. Select the `check box` for each bucket that you want Macie to analyze as part of the job  3. Click `Create job`.  3. Click `Quick create`.  4. For the Name and description step, enter a name and, optionally, a description of the job.  5. Then click `Next`.  6. For the Review and create step, click `Submit`.  Review your findings  1. In the left pane, click `Findings`.  2. To view the details of a specific finding, choose any field other than the check box for the finding.  If you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.",
+          "AuditProcedure": "Perform the following steps to determine if Macie is running:  **From Console:**   1. Login to the Macie console at https://console.aws.amazon.com/macie/   2. In the left hand pane click on By job under findings.   3. Confirm that you have a Job setup for your S3 Buckets  When you log into the Macie console if you aren't taken to the summary page and you don't have a job setup and running then refer to the remediation procedure below.  If you are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation.",
           "AdditionalInformation": "",
           "References": "https://aws.amazon.com/macie/getting-started/:https://docs.aws.amazon.com/workspaces/latest/adminguide/data-protection.html:https://docs.aws.amazon.com/macie/latest/user/data-classification.html"
         }
@@ -562,10 +563,10 @@
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
           "Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.",
-          "RationaleStatement": "Amazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective bucket(s). \n\nAmazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.\n\nWhether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.",
+          "RationaleStatement": "Amazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective bucket(s).   Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.  Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.",
           "ImpactStatement": "When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.",
-          "RemediationProcedure": "**If utilizing Block Public Access (bucket settings)**\n\n**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Select the Check box next to the Bucket.\n3. Click on 'Edit public access settings'.\n4. Click 'Block all public access'\n5. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n**From Command Line:**\n\n1. List all of the S3 Buckets\n```\naws s3 ls\n```\n2. Set the Block Public Access to true on that bucket\n```\naws s3api put-public-access-block --bucket <name-of-bucket> --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\"\n```\n\n**If utilizing Block Public Access (account settings)**\n\n**From Console:**\n\nIf the output reads `true` for the separate configuration settings then it is set on the account.\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Choose `Block Public Access (account settings)`\n3. Choose `Edit` to change the block public access settings for all the buckets in your AWS account\n4. Choose the settings you want to change, and then choose `Save`. For details about each setting, pause on the `i` icons.\n5. When you're asked for confirmation, enter `confirm`. Then Click `Confirm` to save your changes.\n\n**From Command Line:**\n\nTo set Block Public access settings for this account, run the following command:\n```\naws s3control put-public-access-block\n--public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true\n--account-id <value>\n```",
-          "AuditProcedure": "**If utilizing Block Public Access (bucket settings)**\n\n**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Select the Check box next to the Bucket.\n3. Click on 'Edit public access settings'.\n4. Ensure that block public access settings are set appropriately for this bucket\n5. Repeat for all the buckets in your AWS account.\n\n**From Command Line:**\n\n1. List all of the S3 Buckets\n```\naws s3 ls\n```\n2. Find the public access setting on that bucket\n```\naws s3api get-public-access-block --bucket <name-of-the-bucket>\n```\nOutput if Block Public access is enabled:\n\n```\n{\n \"PublicAccessBlockConfiguration\": {\n \"BlockPublicAcls\": true,\n \"IgnorePublicAcls\": true,\n \"BlockPublicPolicy\": true,\n \"RestrictPublicBuckets\": true\n }\n}\n```\n\nIf the output reads `false` for the separate configuration settings then proceed to the remediation.\n\n**If utilizing Block Public Access (account settings)**\n\n**From Console:**\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ \n2. Choose `Block public access (account settings)`\n3. Ensure that block public access settings are set appropriately for your AWS account.\n\n**From Command Line:**\n\nTo check Public access settings for this account status, run the following command,\n`aws s3control get-public-access-block --account-id <ACCT_ID> --region <REGION_NAME>`\n\nOutput if Block Public access is enabled:\n\n```\n{\n \"PublicAccessBlockConfiguration\": {\n \"IgnorePublicAcls\": true, \n \"BlockPublicPolicy\": true, \n \"BlockPublicAcls\": true, \n \"RestrictPublicBuckets\": true\n }\n}\n```\n\nIf the output reads `false` for the separate configuration settings then proceed to the remediation.",
+          "RemediationProcedure": "**If utilizing Block Public Access (bucket settings)**  **From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Click 'Block all public access' 5. Repeat for all the buckets in your AWS account that contain sensitive data.  **From Command Line:**  1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Set the Block Public Access to true on that bucket ``` aws s3api put-public-access-block --bucket <name-of-bucket> --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\" ```  **If utilizing Block Public Access (account settings)**  **From Console:**  If the output reads `true` for the separate configuration settings then it is set on the account.  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Choose `Block Public Access (account settings)` 3. Choose `Edit` to change the block public access settings for all the buckets in your AWS account 4. Choose the settings you want to change, and then choose `Save`. For details about each setting, pause on the `i` icons. 5. When you're asked for confirmation, enter `confirm`. Then Click `Confirm` to save your changes.  **From Command Line:**  To set Block Public access settings for this account, run the following command: ``` aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id <value> ```",
+          "AuditProcedure": "**If utilizing Block Public Access (bucket settings)**  **From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Select the Check box next to the Bucket. 3. Click on 'Edit public access settings'. 4. Ensure that block public access settings are set appropriately for this bucket 5. Repeat for all the buckets in your AWS account.  **From Command Line:**  1. List all of the S3 Buckets ``` aws s3 ls ``` 2. Find the public access setting on that bucket ``` aws s3api get-public-access-block --bucket <name-of-the-bucket> ``` Output if Block Public access is enabled:  ``` {  \"PublicAccessBlockConfiguration\": {  \"BlockPublicAcls\": true,  \"IgnorePublicAcls\": true,  \"BlockPublicPolicy\": true,  \"RestrictPublicBuckets\": true  } } ```  If the output reads `false` for the separate configuration settings then proceed to the remediation.  **If utilizing Block Public Access (account settings)**  **From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Choose `Block public access (account settings)` 3. Ensure that block public access settings are set appropriately for your AWS account.  **From Command Line:**  To check Public access settings for this account status, run the following command, `aws s3control get-public-access-block --account-id <ACCT_ID> --region <REGION_NAME>`  Output if Block Public access is enabled:  ``` {  \"PublicAccessBlockConfiguration\": {  \"IgnorePublicAcls\": true,   \"BlockPublicPolicy\": true,   \"BlockPublicAcls\": true,   \"RestrictPublicBuckets\": true  } } ```  If the output reads `false` for the separate configuration settings then proceed to the remediation.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html"
         }
@@ -585,8 +586,8 @@
           "Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.",
           "RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.",
           "ImpactStatement": "Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/ \n2. Under `Account attributes`, click `EBS encryption`.\n3. Click `Manage`.\n4. Click the `Enable` checkbox.\n5. Click `Update EBS encryption`\n6. Repeat for every region requiring the change.\n\n**Note:** EBS volume encryption is configured per region.\n\n**From Command Line:**\n\n1. Run \n```\naws --region <region> ec2 enable-ebs-encryption-by-default\n```\n2. Verify that `\"EbsEncryptionByDefault\": true` is displayed.\n3. Repeat every region requiring the change.\n\n**Note:** EBS volume encryption is configured per region.",
-          "AuditProcedure": "**From Console:**\n\n1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/ \n2. Under `Account attributes`, click `EBS encryption`.\n3. Verify `Always encrypt new EBS volumes` displays `Enabled`.\n4. Review every region in-use.\n\n**Note:** EBS volume encryption is configured per region.\n\n**From Command Line:**\n\n1. Run \n```\naws --region <region> ec2 get-ebs-encryption-by-default\n```\n2. Verify that `\"EbsEncryptionByDefault\": true` is displayed.\n3. Review every region in-use.\n\n**Note:** EBS volume encryption is configured per region.",
+          "RemediationProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/  2. Under `Account attributes`, click `EBS encryption`. 3. Click `Manage`. 4. Click the `Enable` checkbox. 5. Click `Update EBS encryption` 6. Repeat for every region requiring the change.  **Note:** EBS volume encryption is configured per region.  **From Command Line:**  1. Run  ``` aws --region <region> ec2 enable-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Repeat every region requiring the change.  **Note:** EBS volume encryption is configured per region.",
+          "AuditProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/  2. Under `Account attributes`, click `EBS encryption`. 3. Verify `Always encrypt new EBS volumes` displays `Enabled`. 4. Review every region in-use.  **Note:** EBS volume encryption is configured per region.  **From Command Line:**  1. Run  ``` aws --region <region> ec2 get-ebs-encryption-by-default ``` 2. Verify that `\"EbsEncryptionByDefault\": true` is displayed. 3. Review every region in-use.  **Note:** EBS volume encryption is configured per region.",
           "AdditionalInformation": "Default EBS volume encryption only applies to newly created EBS volumes. Existing EBS volumes are **not** converted automatically.",
           "References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html:https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/"
         }
@@ -606,8 +607,8 @@
           "Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.",
           "RationaleStatement": "Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/.\n2. In the left navigation panel, click on `Databases`\n3. Select the Database instance that needs to be encrypted.\n4. Click on `Actions` button placed at the top right and select `Take Snapshot`.\n5. On the Take Snapshot page, enter a database name of which you want to take a snapshot in the `Snapshot Name` field and click on `Take Snapshot`.\n6. Select the newly created snapshot and click on the `Action` button placed at the top right and select `Copy snapshot` from the Action menu.\n7. On the Make Copy of DB Snapshot page, perform the following:\n\n- In the New DB Snapshot Identifier field, Enter a name for the `new snapshot`.\n- Check `Copy Tags`, New snapshot must have the same tags as the source snapshot.\n- Select `Yes` from the `Enable Encryption` dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.\n\n8. Click `Copy Snapshot` to create an encrypted copy of the selected instance snapshot.\n9. Select the new Snapshot Encrypted Copy and click on the `Action` button placed at the top right and select `Restore Snapshot` button from the Action menu, This will restore the encrypted snapshot to a new database instance.\n10. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field.\n11. Review the instance configuration details and click `Restore DB Instance`.\n12. As the new instance provisioning process is completed can update application configuration to refer to the endpoint of the new Encrypted database instance Once the database endpoint is changed at the application level, can remove the unencrypted instance.\n\n**From Command Line:**\n\n1. Run `describe-db-instances` command to list all RDS database names available in the selected AWS region, The command output should return the database instance identifier.\n```\naws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n2. Run `create-db-snapshot` command to create a snapshot for the selected database instance, The command output will return the `new snapshot` with name DB Snapshot Name.\n```\naws rds create-db-snapshot --region <region-name> --db-snapshot-identifier <DB-Snapshot-Name> --db-instance-identifier <DB-Name>\n```\n3. Now run `list-aliases` command to list the KMS keys aliases available in a specified region, The command output should return each `key alias currently available`. For our RDS encryption activation process, locate the ID of the AWS default KMS key.\n```\naws kms list-aliases --region <region-name>\n```\n4. Run `copy-db-snapshot` command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot, The command output will return the `encrypted instance snapshot configuration`.\n```\naws rds copy-db-snapshot --region <region-name> --source-db-snapshot-identifier <DB-Snapshot-Name> --target-db-snapshot-identifier <DB-Snapshot-Name-Encrypted> --copy-tags --kms-key-id <KMS-ID-For-RDS>\n```\n5. Run `restore-db-instance-from-db-snapshot` command to restore the encrypted snapshot created at the previous step to a new database instance, If successful, the command output should return the new encrypted database instance configuration.\n```\naws rds restore-db-instance-from-db-snapshot --region <region-name> --db-instance-identifier <DB-Name-Encrypted> --db-snapshot-identifier <DB-Snapshot-Name-Encrypted>\n```\n6. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region, Output will return database instance identifier name Select encrypted database name that we just created DB-Name-Encrypted.\n```\naws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n7. Run again `describe-db-instances` command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True`.\n```\naws rds describe-db-instances --region <region-name> --db-instance-identifier <DB-Name-Encrypted> --query 'DBInstances[*].StorageEncrypted'\n```",
-          "AuditProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/\n2. In the navigation pane, under RDS dashboard, click `Databases`.\n3. Select the RDS Instance that you want to examine\n4. Click `Instance Name` to see details, then click on `Configuration` tab.\n5. Under Configuration Details section, In Storage pane search for the `Encryption Enabled` Status.\n6. If the current status is set to `Disabled`, Encryption is not enabled for the selected RDS Instance database instance.\n7. Repeat steps 3 to 7 to verify encryption status of other RDS Instance in same region.\n8. Change region from the top of the navigation bar and repeat audit for other regions.\n\n**From Command Line:**\n\n1. Run `describe-db-instances` command to list all RDS Instance database names, available in the selected AWS region, Output will return each Instance database identifier-name.\n ```\naws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n2. Run again `describe-db-instances` command using the RDS Instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True` Or `False`.\n```\naws rds describe-db-instances --region <region-name> --db-instance-identifier <DB-Name> --query 'DBInstances[*].StorageEncrypted'\n```\n3. If the StorageEncrypted parameter value is `False`, Encryption is not enabled for the selected RDS database instance.\n4. Repeat steps 1 to 3 for auditing each RDS Instance and change Region to verify for other regions",
+          "RemediationProcedure": "**From Console:**  1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases` 3. Select the Database instance that needs to be encrypted. 4. Click on `Actions` button placed at the top right and select `Take Snapshot`. 5. On the Take Snapshot page, enter a database name of which you want to take a snapshot in the `Snapshot Name` field and click on `Take Snapshot`. 6. Select the newly created snapshot and click on the `Action` button placed at the top right and select `Copy snapshot` from the Action menu. 7. On the Make Copy of DB Snapshot page, perform the following:  - In the New DB Snapshot Identifier field, Enter a name for the `new snapshot`. - Check `Copy Tags`, New snapshot must have the same tags as the source snapshot. - Select `Yes` from the `Enable Encryption` dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.  8. Click `Copy Snapshot` to create an encrypted copy of the selected instance snapshot. 9. Select the new Snapshot Encrypted Copy and click on the `Action` button placed at the top right and select `Restore Snapshot` button from the Action menu, This will restore the encrypted snapshot to a new database instance. 10. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field. 11. Review the instance configuration details and click `Restore DB Instance`. 12. As the new instance provisioning process is completed can update application configuration to refer to the endpoint of the new Encrypted database instance Once the database endpoint is changed at the application level, can remove the unencrypted instance.  **From Command Line:**  1. Run `describe-db-instances` command to list all RDS database names available in the selected AWS region, The command output should return the database instance identifier. ``` aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run `create-db-snapshot` command to create a snapshot for the selected database instance, The command output will return the `new snapshot` with name DB Snapshot Name. ``` aws rds create-db-snapshot --region <region-name> --db-snapshot-identifier <DB-Snapshot-Name> --db-instance-identifier <DB-Name> ``` 3. Now run `list-aliases` command to list the KMS keys aliases available in a specified region, The command output should return each `key alias currently available`. For our RDS encryption activation process, locate the ID of the AWS default KMS key. ``` aws kms list-aliases --region <region-name> ``` 4. Run `copy-db-snapshot` command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot, The command output will return the `encrypted instance snapshot configuration`. ``` aws rds copy-db-snapshot --region <region-name> --source-db-snapshot-identifier <DB-Snapshot-Name> --target-db-snapshot-identifier <DB-Snapshot-Name-Encrypted> --copy-tags --kms-key-id <KMS-ID-For-RDS> ``` 5. Run `restore-db-instance-from-db-snapshot` command to restore the encrypted snapshot created at the previous step to a new database instance, If successful, the command output should return the new encrypted database instance configuration. ``` aws rds restore-db-instance-from-db-snapshot --region <region-name> --db-instance-identifier <DB-Name-Encrypted> --db-snapshot-identifier <DB-Snapshot-Name-Encrypted> ``` 6. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region, Output will return database instance identifier name Select encrypted database name that we just created DB-Name-Encrypted. ``` aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier' ``` 7. Run again `describe-db-instances` command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True`. ``` aws rds describe-db-instances --region <region-name> --db-instance-identifier <DB-Name-Encrypted> --query 'DBInstances[*].StorageEncrypted' ```",
+          "AuditProcedure": "**From Console:**  1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/ 2. In the navigation pane, under RDS dashboard, click `Databases`. 3. Select the RDS Instance that you want to examine 4. Click `Instance Name` to see details, then click on `Configuration` tab. 5. Under Configuration Details section, In Storage pane search for the `Encryption Enabled` Status. 6. If the current status is set to `Disabled`, Encryption is not enabled for the selected RDS Instance database instance. 7. Repeat steps 3 to 7 to verify encryption status of other RDS Instance in same region. 8. Change region from the top of the navigation bar and repeat audit for other regions.  **From Command Line:**  1. Run `describe-db-instances` command to list all RDS Instance database names, available in the selected AWS region, Output will return each Instance database identifier-name.  ``` aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. Run again `describe-db-instances` command using the RDS Instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True` Or `False`. ``` aws rds describe-db-instances --region <region-name> --db-instance-identifier <DB-Name> --query 'DBInstances[*].StorageEncrypted' ``` 3. If the StorageEncrypted parameter value is `False`, Encryption is not enabled for the selected RDS database instance. 4. Repeat steps 1 to 3 for auditing each RDS Instance and change Region to verify for other regions",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html:https://aws.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/#:~:text=With%20RDS%2Dencrypted%20resources%2C%20data,transparent%20to%20your%20database%20engine.:https://aws.amazon.com/rds/features/security/"
         }
@@ -627,8 +628,8 @@
           "Description": "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.",
           "RationaleStatement": "AWS RDS will occasionally deprecate minor engine versions and provide new ones for an upgrade. When the last version number within the release is replaced, the version changed is considered minor. With Auto Minor Version Upgrade feature enabled, the version upgrades will occur automatically during the specified maintenance window so your RDS instances can get the new features, bug fixes, and security patches for their database engines.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.\n2. In the left navigation panel, click on `Databases`.\n3. Select the RDS instance that wants to update.\n4. Click on the `Modify` button placed on the top right side.\n5. On the `Modify DB Instance: <instance identifier>` page, In the `Maintenance` section, select `Auto minor version upgrade` click on the `Yes` radio button.\n6. At the bottom of the page click on `Continue`, check to Apply Immediately to apply the changes immediately, or select `Apply during the next scheduled maintenance window` to avoid any downtime.\n7. Review the changes and click on `Modify DB Instance`. The instance status should change from available to modifying and back to available. Once the feature is enabled, the `Auto Minor Version Upgrade` status should change to `Yes`.\n\n**From Command Line:**\n\n1. Run `describe-db-instances` command to list all RDS database instance names, available in the selected AWS region:\n```\naws rds describe-db-instances --region <regionName> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n2. The command output should return each database instance identifier.\n3. Run the `modify-db-instance` command to modify the selected RDS instance configuration this command will apply the changes immediately, Remove `--apply-immediately` to apply changes during the next scheduled maintenance window and avoid any downtime:\n```\naws rds modify-db-instance --region <regionName> --db-instance-identifier <dbInstanceIdentifier> --auto-minor-version-upgrade --apply-immediately\n```\n4. The command output should reveal the new configuration metadata for the RDS instance and check `AutoMinorVersionUpgrade` parameter value.\n5. Run `describe-db-instances` command to check if the Auto Minor Version Upgrade feature has been successfully enable:\n```\naws rds describe-db-instances --region <regionName> --db-instance-identifier <dbInstanceIdentifier> --query 'DBInstances[*].AutoMinorVersionUpgrade'\n```\n6. The command output should return the feature current status set to `true`, the feature is `enabled` and the minor engine upgrades will be applied to the selected RDS instance.",
-          "AuditProcedure": "**From Console:**\n\n1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.\n2. In the left navigation panel, click on `Databases`.\n3. Select the RDS instance that wants to examine.\n4. Click on the `Maintenance and backups` panel.\n5. Under the `Maintenance` section, search for the Auto Minor Version Upgrade status.\n- If the current status is set to `Disabled`, means the feature is not set and the minor engine upgrades released will not be applied to the selected RDS instance\n\n**From Command Line:**\n\n1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region:\n```\naws rds describe-db-instances --region <regionName> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n2. The command output should return each database instance identifier.\n3. Run again `describe-db-instances` command using the RDS instance identifier returned earlier to determine the Auto Minor Version Upgrade status for the selected instance:\n```\naws rds describe-db-instances --region <regionName> --db-instance-identifier <dbInstanceIdentifier> --query 'DBInstances[*].AutoMinorVersionUpgrade'\n```\n4. The command output should return the feature current status. If the current status is set to `true`, the feature is enabled and the minor engine upgrades will be applied to the selected RDS instance.",
+          "RemediationProcedure": "**From Console:**  1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases`. 3. Select the RDS instance that wants to update. 4. Click on the `Modify` button placed on the top right side. 5. On the `Modify DB Instance: <instance identifier>` page, In the `Maintenance` section, select `Auto minor version upgrade` click on the `Yes` radio button. 6. At the bottom of the page click on `Continue`, check to Apply Immediately to apply the changes immediately, or select `Apply during the next scheduled maintenance window` to avoid any downtime. 7. Review the changes and click on `Modify DB Instance`. The instance status should change from available to modifying and back to available. Once the feature is enabled, the `Auto Minor Version Upgrade` status should change to `Yes`.  **From Command Line:**  1. Run `describe-db-instances` command to list all RDS database instance names, available in the selected AWS region: ``` aws rds describe-db-instances --region <regionName> --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run the `modify-db-instance` command to modify the selected RDS instance configuration this command will apply the changes immediately, Remove `--apply-immediately` to apply changes during the next scheduled maintenance window and avoid any downtime: ``` aws rds modify-db-instance --region <regionName> --db-instance-identifier <dbInstanceIdentifier> --auto-minor-version-upgrade --apply-immediately ``` 4. The command output should reveal the new configuration metadata for the RDS instance and check `AutoMinorVersionUpgrade` parameter value. 5. Run `describe-db-instances` command to check if the Auto Minor Version Upgrade feature has been successfully enable: ``` aws rds describe-db-instances --region <regionName> --db-instance-identifier <dbInstanceIdentifier> --query 'DBInstances[*].AutoMinorVersionUpgrade' ``` 6. The command output should return the feature current status set to `true`, the feature is `enabled` and the minor engine upgrades will be applied to the selected RDS instance.",
+          "AuditProcedure": "**From Console:**  1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. In the left navigation panel, click on `Databases`. 3. Select the RDS instance that wants to examine. 4. Click on the `Maintenance and backups` panel. 5. Under the `Maintenance` section, search for the Auto Minor Version Upgrade status. - If the current status is set to `Disabled`, means the feature is not set and the minor engine upgrades released will not be applied to the selected RDS instance  **From Command Line:**  1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region: ``` aws rds describe-db-instances --region <regionName> --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run again `describe-db-instances` command using the RDS instance identifier returned earlier to determine the Auto Minor Version Upgrade status for the selected instance: ``` aws rds describe-db-instances --region <regionName> --db-instance-identifier <dbInstanceIdentifier> --query 'DBInstances[*].AutoMinorVersionUpgrade' ``` 4. The command output should return the feature current status. If the current status is set to `true`, the feature is enabled and the minor engine upgrades will be applied to the selected RDS instance.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html:https://aws.amazon.com/rds/faqs/"
         }
@@ -648,8 +649,8 @@
           "Description": "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.",
           "RationaleStatement": "Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. When the RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.\n2. Under the navigation panel, On RDS Dashboard, click `Databases`.\n3. Select the RDS instance that you want to update.\n4. Click `Modify` from the dashboard top menu.\n5. On the Modify DB Instance panel, under the `Connectivity` section, click on `Additional connectivity configuration` and update the value for `Publicly Accessible` to Not publicly accessible to restrict public access. Follow the below steps to update subnet configurations:\n- Select the `Connectivity and security` tab, and click on the VPC attribute value inside the `Networking` section.\n- Select the `Details` tab from the VPC dashboard bottom panel and click on Route table configuration attribute value.\n- On the Route table details page, select the Routes tab from the dashboard bottom panel and click on `Edit routes`.\n- On the Edit routes page, update the Destination of Target which is set to `igw-xxxxx` and click on `Save` routes.\n6. On the Modify DB Instance panel Click on `Continue` and In the Scheduling of modifications section, perform one of the following actions based on your requirements:\n- Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.\n- Select Apply immediately to apply the changes right away. With this option, any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for the application.\n7. Repeat steps 3 to 6 for each RDS instance available in the current region.\n8. Change the AWS region from the navigation bar to repeat the process for other regions.\n\n**From Command Line:**\n\n1. Run `describe-db-instances` command to list all RDS database names identifiers, available in the selected AWS region:\n```\naws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n2. The command output should return each database instance identifier.\n3. Run `modify-db-instance` command to modify the selected RDS instance configuration. Then use the following command to disable the `Publicly Accessible` flag for the selected RDS instances. This command use the apply-immediately flag. If you want `to avoid any downtime --no-apply-immediately flag can be used`:\n```\naws rds modify-db-instance --region <region-name> --db-instance-identifier <db-name> --no-publicly-accessible --apply-immediately\n```\n4. The command output should reveal the `PubliclyAccessible` configuration under pending values and should get applied at the specified time.\n5. Updating the Internet Gateway Destination via AWS CLI is not currently supported To update information about Internet Gateway use the AWS Console Procedure.\n6. Repeat steps 1 to 5 for each RDS instance provisioned in the current region.\n7. Change the AWS region by using the --region filter to repeat the process for other regions.",
-          "AuditProcedure": "**From Console:**\n\n1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.\n2. Under the navigation panel, On RDS Dashboard, click `Databases`.\n3. Select the RDS instance that you want to examine.\n4. Click `Instance Name` from the dashboard, Under `Connectivity and Security.\n5. On the `Security`, check if the Publicly Accessible flag status is set to `Yes`, follow the below-mentioned steps to check database subnet access.\n- In the `networking` section, click the subnet link available under `Subnets`\n- The link will redirect you to the VPC Subnets page.\n- Select the subnet listed on the page and click the `Route Table` tab from the dashboard bottom panel. If the route table contains any entries with the destination `CIDR block set to 0.0.0.0/0` and with an `Internet Gateway` attached.\n- The selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and can be accessible from the Internet.\n6. Repeat steps no. 4 and 5 to determine the type (public or private) and subnet for other RDS database instances provisioned in the current region.\n8. Change the AWS region from the navigation bar and repeat the audit process for other regions.\n\n**From Command Line:**\n\n1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region:\n```\naws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'\n```\n2. The command output should return each database instance `identifier`.\n3. Run again `describe-db-instances` command using the `PubliclyAccessible` parameter as query filter to reveal the database instance Publicly Accessible flag status:\n```\naws rds describe-db-instances --region <region-name> --db-instance-identifier <db-instance-name> --query 'DBInstances[*].PubliclyAccessible'\n```\n4. Check for the Publicly Accessible parameter status, If the Publicly Accessible flag is set to `Yes`. Then selected RDS database instance is publicly accessible and insecure, follow the below-mentioned steps to check database subnet access\n5. Run again `describe-db-instances` command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC subnet(s) associated with the selected instance:\n```\naws rds describe-db-instances --region <region-name> --db-instance-identifier <db-name> --query 'DBInstances[*].DBSubnetGroup.Subnets[]'\n```\n- The command output should list the subnets available in the selected database subnet group.\n6. Run `describe-route-tables` command using the ID of the subnet returned at the previous step to describe the routes of the VPC route table associated with the selected subnet:\n```\naws ec2 describe-route-tables --region <region-name> --filters \"Name=association.subnet-id,Values=<SubnetID>\" --query 'RouteTables[*].Routes[]'\n```\n- If the command returns the route table associated with database instance subnet ID. Check the `GatewayId` and `DestinationCidrBlock` attributes values returned in the output. If the route table contains any entries with the `GatewayId` value set to `igw-xxxxxxxx` and the `DestinationCidrBlock` value set to `0.0.0.0/0`, the selected RDS database instance was provisioned inside a public subnet.\n- Or\n- If the command returns empty results, the route table is implicitly associated with subnet, therefore the audit process continues with the next step\n7. Run again `describe-db-instances` command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC ID associated with the selected instance:\n```\naws rds describe-db-instances --region <region-name> --db-instance-identifier <db-name> --query 'DBInstances[*].DBSubnetGroup.VpcId'\n```\n- The command output should show the VPC ID in the selected database subnet group\n8. Now run `describe-route-tables` command using the ID of the VPC returned at the previous step to describe the routes of the VPC main route table implicitly associated with the selected subnet:\n```\naws ec2 describe-route-tables --region <region-name> --filters \"Name=vpc-id,Values=<VPC-ID>\" \"Name=association.main,Values=true\" --query 'RouteTables[*].Routes[]'\n```\n- The command output returns the VPC main route table implicitly associated with database instance subnet ID. Check the `GatewayId` and `DestinationCidrBlock` attributes values returned in the output. If the route table contains any entries with the `GatewayId` value set to `igw-xxxxxxxx` and the `DestinationCidrBlock` value set to `0.0.0.0/0`, the selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and does not adhere to AWS security best practices.",
+          "RemediationProcedure": "**From Console:**  1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. Under the navigation panel, On RDS Dashboard, click `Databases`. 3. Select the RDS instance that you want to update. 4. Click `Modify` from the dashboard top menu. 5. On the Modify DB Instance panel, under the `Connectivity` section, click on `Additional connectivity configuration` and update the value for `Publicly Accessible` to Not publicly accessible to restrict public access. Follow the below steps to update subnet configurations: - Select the `Connectivity and security` tab, and click on the VPC attribute value inside the `Networking` section. - Select the `Details` tab from the VPC dashboard bottom panel and click on Route table configuration attribute value. - On the Route table details page, select the Routes tab from the dashboard bottom panel and click on `Edit routes`. - On the Edit routes page, update the Destination of Target which is set to `igw-xxxxx` and click on `Save` routes. 6. On the Modify DB Instance panel Click on `Continue` and In the Scheduling of modifications section, perform one of the following actions based on your requirements: - Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window. - Select Apply immediately to apply the changes right away. With this option, any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for the application. 7. Repeat steps 3 to 6 for each RDS instance available in the current region. 8. Change the AWS region from the navigation bar to repeat the process for other regions.  **From Command Line:**  1. Run `describe-db-instances` command to list all RDS database names identifiers, available in the selected AWS region: ``` aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance identifier. 3. Run `modify-db-instance` command to modify the selected RDS instance configuration. Then use the following command to disable the `Publicly Accessible` flag for the selected RDS instances. This command use the apply-immediately flag. If you want `to avoid any downtime --no-apply-immediately flag can be used`: ``` aws rds modify-db-instance --region <region-name> --db-instance-identifier <db-name> --no-publicly-accessible --apply-immediately ``` 4. The command output should reveal the `PubliclyAccessible` configuration under pending values and should get applied at the specified time. 5. Updating the Internet Gateway Destination via AWS CLI is not currently supported To update information about Internet Gateway use the AWS Console Procedure. 6. Repeat steps 1 to 5 for each RDS instance provisioned in the current region. 7. Change the AWS region by using the --region filter to repeat the process for other regions.",
+          "AuditProcedure": "**From Console:**  1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/. 2. Under the navigation panel, On RDS Dashboard, click `Databases`. 3. Select the RDS instance that you want to examine. 4. Click `Instance Name` from the dashboard, Under `Connectivity and Security. 5. On the `Security`, check if the Publicly Accessible flag status is set to `Yes`, follow the below-mentioned steps to check database subnet access. - In the `networking` section, click the subnet link available under `Subnets` - The link will redirect you to the VPC Subnets page. - Select the subnet listed on the page and click the `Route Table` tab from the dashboard bottom panel. If the route table contains any entries with the destination `CIDR block set to 0.0.0.0/0` and with an `Internet Gateway` attached. - The selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and can be accessible from the Internet. 6. Repeat steps no. 4 and 5 to determine the type (public or private) and subnet for other RDS database instances provisioned in the current region. 8. Change the AWS region from the navigation bar and repeat the audit process for other regions.  **From Command Line:**  1. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region: ``` aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier' ``` 2. The command output should return each database instance `identifier`. 3. Run again `describe-db-instances` command using the `PubliclyAccessible` parameter as query filter to reveal the database instance Publicly Accessible flag status: ``` aws rds describe-db-instances --region <region-name> --db-instance-identifier <db-instance-name> --query 'DBInstances[*].PubliclyAccessible' ``` 4. Check for the Publicly Accessible parameter status, If the Publicly Accessible flag is set to `Yes`. Then selected RDS database instance is publicly accessible and insecure, follow the below-mentioned steps to check database subnet access 5. Run again `describe-db-instances` command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC subnet(s) associated with the selected instance: ``` aws rds describe-db-instances --region <region-name> --db-instance-identifier <db-name> --query 'DBInstances[*].DBSubnetGroup.Subnets[]' ``` - The command output should list the subnets available in the selected database subnet group. 6. Run `describe-route-tables` command using the ID of the subnet returned at the previous step to describe the routes of the VPC route table associated with the selected subnet: ``` aws ec2 describe-route-tables --region <region-name> --filters \"Name=association.subnet-id,Values=<SubnetID>\" --query 'RouteTables[*].Routes[]' ``` - If the command returns the route table associated with database instance subnet ID. Check the `GatewayId` and `DestinationCidrBlock` attributes values returned in the output. If the route table contains any entries with the `GatewayId` value set to `igw-xxxxxxxx` and the `DestinationCidrBlock` value set to `0.0.0.0/0`, the selected RDS database instance was provisioned inside a public subnet. - Or - If the command returns empty results, the route table is implicitly associated with subnet, therefore the audit process continues with the next step 7. Run again `describe-db-instances` command using the RDS database instance identifier that you want to check and appropriate filtering to describe the VPC ID associated with the selected instance: ``` aws rds describe-db-instances --region <region-name> --db-instance-identifier <db-name> --query 'DBInstances[*].DBSubnetGroup.VpcId' ``` - The command output should show the VPC ID in the selected database subnet group 8. Now run `describe-route-tables` command using the ID of the VPC returned at the previous step to describe the routes of the VPC main route table implicitly associated with the selected subnet: ``` aws ec2 describe-route-tables --region <region-name> --filters \"Name=vpc-id,Values=<VPC-ID>\" \"Name=association.main,Values=true\" --query 'RouteTables[*].Routes[]' ``` - The command output returns the VPC main route table implicitly associated with database instance subnet ID. Check the `GatewayId` and `DestinationCidrBlock` attributes values returned in the output. If the route table contains any entries with the `GatewayId` value set to `igw-xxxxxxxx` and the `DestinationCidrBlock` value set to `0.0.0.0/0`, the selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and does not adhere to AWS security best practices.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html:https://aws.amazon.com/rds/faqs/"
         }
@@ -669,8 +670,8 @@
           "Description": "EFS data should be encrypted at rest using AWS KMS (Key Management Service).",
           "RationaleStatement": "Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**It is important to note that EFS file system data at rest encryption must be turned on when creating the file system.**\n\nIf an EFS file system has been created without data at rest encryption enabled then you must create another EFS file system with the correct configuration and transfer the data.\n\n**Steps to create an EFS file system with data encrypted at rest:**\n\n**From Console:**\n1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS)` dashboard.\n2. Select `File Systems` from the left navigation panel.\n3. Click `Create File System` button from the dashboard top menu to start the file system setup process.\n4. On the `Configure file system access` configuration page, perform the following actions.\n- Choose the right VPC from the VPC dropdown list.\n- Within Create mount targets section, select the checkboxes for all of the Availability Zones (AZs) within the selected VPC. These will be your mount targets.\n- Click `Next step` to continue.\n\n5. Perform the following on the `Configure optional settings` page.\n- Create `tags` to describe your new file system.\n- Choose `performance mode` based on your requirements.\n- Check `Enable encryption` checkbox and choose `aws/elasticfilesystem` from Select KMS master key dropdown list to enable encryption for the new file system using the default master key provided and managed by AWS KMS.\n- Click `Next step` to continue.\n\n6. Review the file system configuration details on the `review and create` page and then click `Create File System` to create your new AWS EFS file system.\n7. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system.\n8. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed.\n9. Change the AWS region from the navigation bar and repeat the entire process for other aws regions.\n\n**From CLI:**\n1. Run describe-file-systems command to describe the configuration information available for the selected (unencrypted) file system (see Audit section to identify the right resource):\n```\naws efs describe-file-systems --region <region> --file-system-id <file-system-id from audit section step 2 output>\n```\n2. The command output should return the requested configuration information.\n3. To provision a new AWS EFS file system, you need to generate a universally unique identifier (UUID) in order to create the token required by the create-file-system command. To create the required token, you can use a randomly generated UUID from \"https://www.uuidgenerator.net\".\n4. Run create-file-system command using the unique token created at the previous step.\n```\naws efs create-file-system --region <region> --creation-token <Token (randomly generated UUID from step 3)> --performance-mode generalPurpose --encrypted\n```\n5. The command output should return the new file system configuration metadata.\n6. Run create-mount-target command using the newly created EFS file system ID returned at the previous step as identifier and the ID of the Availability Zone (AZ) that will represent the mount target:\n```\naws efs create-mount-target --region <region> --file-system-id <file-system-id> --subnet-id <subnet-id>\n```\n7. The command output should return the new mount target metadata.\n8. Now you can mount your file system from an EC2 instance.\n9. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system.\n10. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed.\n```\naws efs delete-file-system --region <region> --file-system-id <unencrypted-file-system-id>\n```\n11. Change the AWS region by updating the --region and repeat the entire process for other aws regions.",
-          "AuditProcedure": "**From Console:**\n1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS) dashboard.\n2. Select `File Systems` from the left navigation panel.\n3. Each item on the list has a visible Encrypted field that displays data at rest encryption status.\n4. Validate that this field reads `Encrypted` for all EFS file systems in all AWS regions.\n\n**From CLI:**\n1. Run describe-file-systems command using custom query filters to list the identifiers of all AWS EFS file systems currently available within the selected region:\n```\naws efs describe-file-systems --region <region> --output table --query 'FileSystems[*].FileSystemId'\n```\n2. The command output should return a table with the requested file system IDs.\n3. Run describe-file-systems command using the ID of the file system that you want to examine as identifier and the necessary query filters:\n```\naws efs describe-file-systems --region <region> --file-system-id <file-system-id from step 2 output> --query 'FileSystems[*].Encrypted'\n```\n4. The command output should return the file system encryption status true or false. If the returned value is `false`, the selected AWS EFS file system is not encrypted and if the returned value is `true`, the selected AWS EFS file system is encrypted.",
+          "RemediationProcedure": "**It is important to note that EFS file system data at rest encryption must be turned on when creating the file system.**  If an EFS file system has been created without data at rest encryption enabled then you must create another EFS file system with the correct configuration and transfer the data.  **Steps to create an EFS file system with data encrypted at rest:**  **From Console:** 1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS)` dashboard. 2. Select `File Systems` from the left navigation panel. 3. Click `Create File System` button from the dashboard top menu to start the file system setup process. 4. On the `Configure file system access` configuration page, perform the following actions. - Choose the right VPC from the VPC dropdown list. - Within Create mount targets section, select the checkboxes for all of the Availability Zones (AZs) within the selected VPC. These will be your mount targets. - Click `Next step` to continue.  5. Perform the following on the `Configure optional settings` page. - Create `tags` to describe your new file system. - Choose `performance mode` based on your requirements. - Check `Enable encryption` checkbox and choose `aws/elasticfilesystem` from Select KMS master key dropdown list to enable encryption for the new file system using the default master key provided and managed by AWS KMS. - Click `Next step` to continue.  6. Review the file system configuration details on the `review and create` page and then click `Create File System` to create your new AWS EFS file system. 7. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. 8. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. 9. Change the AWS region from the navigation bar and repeat the entire process for other aws regions.  **From CLI:** 1. Run describe-file-systems command to describe the configuration information available for the selected (unencrypted) file system (see Audit section to identify the right resource): ``` aws efs describe-file-systems --region <region> --file-system-id <file-system-id from audit section step 2 output> ``` 2. The command output should return the requested configuration information. 3. To provision a new AWS EFS file system, you need to generate a universally unique identifier (UUID) in order to create the token required by the create-file-system command. To create the required token, you can use a randomly generated UUID from \"https://www.uuidgenerator.net\". 4. Run create-file-system command using the unique token created at the previous step. ``` aws efs create-file-system --region <region> --creation-token <Token (randomly generated UUID from step 3)> --performance-mode generalPurpose --encrypted ``` 5. The command output should return the new file system configuration metadata. 6. Run create-mount-target command using the newly created EFS file system ID returned at the previous step as identifier and the ID of the Availability Zone (AZ) that will represent the mount target: ``` aws efs create-mount-target --region <region> --file-system-id <file-system-id> --subnet-id <subnet-id> ``` 7. The command output should return the new mount target metadata. 8. Now you can mount your file system from an EC2 instance. 9. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system. 10. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed. ``` aws efs delete-file-system --region <region> --file-system-id <unencrypted-file-system-id> ``` 11. Change the AWS region by updating the --region and repeat the entire process for other aws regions.",
+          "AuditProcedure": "**From Console:** 1. Login to the AWS Management Console and Navigate to `Elastic File System (EFS) dashboard. 2. Select `File Systems` from the left navigation panel. 3. Each item on the list has a visible Encrypted field that displays data at rest encryption status. 4. Validate that this field reads `Encrypted` for all EFS file systems in all AWS regions.  **From CLI:** 1. Run describe-file-systems command using custom query filters to list the identifiers of all AWS EFS file systems currently available within the selected region: ``` aws efs describe-file-systems --region <region> --output table --query 'FileSystems[*].FileSystemId' ``` 2. The command output should return a table with the requested file system IDs. 3. Run describe-file-systems command using the ID of the file system that you want to examine as identifier and the necessary query filters: ``` aws efs describe-file-systems --region <region> --file-system-id <file-system-id from step 2 output> --query 'FileSystems[*].Encrypted' ``` 4. The command output should return the file system encryption status true or false. If the returned value is `false`, the selected AWS EFS file system is not encrypted and if the returned value is `true`, the selected AWS EFS file system is encrypted.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/efs/index.html#efs"
         }
@@ -688,10 +689,10 @@
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
           "Description": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).",
-          "RationaleStatement": "The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, \n\n- ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected\n\n- ensuring that a multi-regions trail exists will ensure that `Global Service Logging` is enabled for a trail by default to capture recording of events generated on \nAWS global services\n\n- for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account",
-          "ImpactStatement": "S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features:\n\n1. https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html",
-          "RemediationProcedure": "Perform the following to enable global (Multi-region) CloudTrail logging:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. Click on _Trails_ on the left navigation pane\n3. Click `Get Started Now` , if presented\n - Click `Add new trail` \n - Enter a trail name in the `Trail name` box\n - Set the `Apply trail to all regions` option to `Yes` \n - Specify an S3 bucket name in the `S3 bucket` box\n - Click `Create` \n4. If 1 or more trails already exist, select the target trail to enable for global logging\n5. Click the edit icon (pencil) next to `Apply trail to all regions` , Click `Yes` and Click `Save`.\n6. Click the edit icon (pencil) next to `Management Events` click `All` for setting `Read/Write Events` and Click `Save`.\n\n**From Command Line:**\n```\naws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail \naws cloudtrail update-trail --name <trail_name> --is-multi-region-trail\n```\n\nNote: Creating CloudTrail via CLI without providing any overriding options configures `Management Events` to set `All` type of `Read/Writes` by default.",
-          "AuditProcedure": "Perform the following to determine if CloudTrail is enabled for all regions:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. Click on `Trails` on the left navigation pane\n - You will be presented with a list of trails across all regions\n3. Ensure at least one Trail has `All` specified in the `Region` column\n4. Click on a trail via the link in the _Name_ column\n5. Ensure `Logging` is set to `ON` \n6. Ensure `Apply trail to all regions` is set to `Yes`\n7. In section `Management Events` ensure `Read/Write Events` set to `ALL`\n\n**From Command Line:**\n```\n aws cloudtrail describe-trails\n```\nEnsure `IsMultiRegionTrail` is set to `true` \n```\naws cloudtrail get-trail-status --name <trailname shown in describe-trails>\n```\nEnsure `IsLogging` is set to `true`\n```\naws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>\n```\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`",
+          "RationaleStatement": "The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally,   - ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected  - ensuring that a multi-regions trail exists will ensure that `Global Service Logging` is enabled for a trail by default to capture recording of events generated on  AWS global services  - for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account",
+          "ImpactStatement": "S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features:  1. https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html",
+          "RemediationProcedure": "Perform the following to enable global (Multi-region) CloudTrail logging:  **From Console:**  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on _Trails_ on the left navigation pane 3. Click `Get Started Now` , if presented  - Click `Add new trail`   - Enter a trail name in the `Trail name` box  - Set the `Apply trail to all regions` option to `Yes`   - Specify an S3 bucket name in the `S3 bucket` box  - Click `Create`  4. If 1 or more trails already exist, select the target trail to enable for global logging 5. Click the edit icon (pencil) next to `Apply trail to all regions` , Click `Yes` and Click `Save`. 6. Click the edit icon (pencil) next to `Management Events` click `All` for setting `Read/Write Events` and Click `Save`.  **From Command Line:** ``` aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail  aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail ```  Note: Creating CloudTrail via CLI without providing any overriding options configures `Management Events` to set `All` type of `Read/Writes` by default.",
+          "AuditProcedure": "Perform the following to determine if CloudTrail is enabled for all regions:  **From Console:**  1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane  - You will be presented with a list of trails across all regions 3. Ensure at least one Trail has `All` specified in the `Region` column 4. Click on a trail via the link in the _Name_ column 5. Ensure `Logging` is set to `ON`  6. Ensure `Apply trail to all regions` is set to `Yes` 7. In section `Management Events` ensure `Read/Write Events` set to `ALL`  **From Command Line:** ```  aws cloudtrail describe-trails ``` Ensure `IsMultiRegionTrail` is set to `true`  ``` aws cloudtrail get-trail-status --name <trailname shown in describe-trails> ``` Ensure `IsLogging` is set to `true` ``` aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails> ``` Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html#cloud-trail-supported-services-data-events"
         }
@@ -711,8 +712,8 @@
           "Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.",
           "RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/`\n5. Once the Cloudtrail is selected, check the `Write` event checkbox, so that `object-level` logging for Write events is enabled.\n6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.\n\n**From Command Line:**\n\n1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier:\n```\naws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ \"ReadWriteType\": \"WriteOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::<s3-bucket-name>/\"] }] }]'\n```\n2. The command output will be `object-level` event trail configuration.\n3. If you want to enable it for all buckets at once then change Values parameter to `[\"arn:aws:s3\"]` in command given above.\n4. Repeat step 1 for each s3 bucket to update `object-level` logging of write events.\n5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.",
-          "AuditProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to CloudTrail dashboard at `https://console.aws.amazon.com/cloudtrail/`\n2. In the left panel, click `Trails` and then click on the CloudTrail Name that you want to examine.\n3. Review `General details`\n4. Confirm that `Multi-region trail` is set to `Yes`\n5. Scroll down to `Data events`\n6. Confirm that it reads:\nData events: S3\nBucket Name: All current and future S3 buckets\nRead: Enabled\nWrite: Enabled\n7. Repeat steps 2 to 6 to verify that Multi-region trail and Data events logging of S3 buckets in CloudTrail.\nIf the CloudTrails do not have multi-region and data events configured for S3 refer to the remediation below.\n\n**From Command Line:**\n\n1. Run `list-trails` command to list the names of all Amazon CloudTrail trails currently available in all AWS regions:\n```\naws cloudtrail list-trails\n```\n2. The command output will be a list of all the trail names to include.\n\"TrailARN\": \"arn:aws:cloudtrail:<region>:<account#>:trail/<trailname>\",\n\"Name\": \"<trailname>\",\n\"HomeRegion\": \"<region>\"\n3. Next run 'get-trail- command to determine Multi-region.\n```\naws cloudtrail get-trail --name <trailname> --region <region_name>\n```\n4. The command output should include:\n\"IsMultiRegionTrail\": true,\n5. Next run `get-event-selectors` command using the `Name` of the trail and the `region` returned in step 2 to determine if Data events logging feature is enabled within the selected CloudTrail trail for all S3 buckets:\n```\naws cloudtrail get-event-selectors --region <HomeRegion> --trail-name <trailname> --query EventSelectors[*].DataResources[]\n```\n6. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector.\n\"Type\": \"AWS::S3::Object\",\n \"Values\": [\n \"arn:aws:s3\"\n7. If the `get-event-selectors` command returns an empty array '[]', the Data events are not included in the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded.\n8. Repeat steps 1 to 5 for auditing each CloudTrail to determine if Data events for S3 are covered.\nIf Multi-region is not set to true and the Data events does not show S3 defined as shown refer to the remediation procedure below.",
+          "RemediationProcedure": "**From Console:**  1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the `Write` event checkbox, so that `object-level` logging for Write events is enabled. 6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.  **From Command Line:**  1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ \"ReadWriteType\": \"WriteOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::<s3-bucket-name>/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at once then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of write events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.",
+          "AuditProcedure": "**From Console:**  1. Login to the AWS Management Console and navigate to CloudTrail dashboard at `https://console.aws.amazon.com/cloudtrail/` 2. In the left panel, click `Trails` and then click on the CloudTrail Name that you want to examine. 3. Review `General details` 4. Confirm that `Multi-region trail` is set to `Yes` 5. Scroll down to `Data events` 6. Confirm that it reads: Data events: S3 Bucket Name: All current and future S3 buckets Read: Enabled Write: Enabled 7. Repeat steps 2 to 6 to verify that Multi-region trail and Data events logging of S3 buckets in CloudTrail. If the CloudTrails do not have multi-region and data events configured for S3 refer to the remediation below.  **From Command Line:**  1. Run `list-trails` command to list the names of all Amazon CloudTrail trails currently available in all AWS regions: ``` aws cloudtrail list-trails ``` 2. The command output will be a list of all the trail names to include. \"TrailARN\": \"arn:aws:cloudtrail:<region>:<account#>:trail/<trailname>\", \"Name\": \"<trailname>\", \"HomeRegion\": \"<region>\" 3. Next run 'get-trail- command to determine Multi-region. ``` aws cloudtrail get-trail --name <trailname> --region <region_name> ``` 4. The command output should include: \"IsMultiRegionTrail\": true, 5. Next run `get-event-selectors` command using the `Name` of the trail and the `region` returned in step 2 to determine if Data events logging feature is enabled within the selected CloudTrail trail for all S3 buckets: ``` aws cloudtrail get-event-selectors --region <HomeRegion> --trail-name <trailname> --query EventSelectors[*].DataResources[] ``` 6. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. \"Type\": \"AWS::S3::Object\",  \"Values\": [  \"arn:aws:s3\" 7. If the `get-event-selectors` command returns an empty array '[]', the Data events are not included in the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 8. Repeat steps 1 to 5 for auditing each CloudTrail to determine if Data events for S3 are covered. If Multi-region is not set to true and the Data events does not show S3 defined as shown refer to the remediation procedure below.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html"
         }
@@ -732,8 +733,8 @@
           "Description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.",
           "RationaleStatement": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/`\n5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled.\n6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.\n\n**From Command Line:**\n1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier:\n```\naws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::<s3-bucket-name>/\"] }] }]'\n```\n2. The command output will be `object-level` event trail configuration.\n3. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above.\n4. Repeat step 1 for each s3 bucket to update `object-level` logging of read events.\n5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.",
-          "AuditProcedure": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. If the current status for `Object-level` logging is set to `Disabled`, then object-level logging of read events for the selected s3 bucket is not set.\n5. If the current status for `Object-level` logging is set to `Enabled`, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set.\n6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events of your other S3 buckets.\n\n**From Command Line:**\n1. Run `describe-trails` command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region:\n```\naws cloudtrail describe-trails --region <region-name> --output table --query trailList[*].Name\n```\n2. The command output will be table of the requested trail names.\n3. Run `get-event-selectors` command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources:\n```\naws cloudtrail get-event-selectors --region <region-name> --trail-name <trail-name> --query EventSelectors[*].DataResources[]\n```\n4. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector.\n5. If the `get-event-selectors` command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded.\n6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events.\n7. Change the AWS region by updating the `--region` command parameter and perform the audit process for other regions.",
+          "RemediationProcedure": "**From Console:**  1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/` 5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled. 6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.  **From Command Line:** 1. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier: ``` aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::<s3-bucket-name>/\"] }] }]' ``` 2. The command output will be `object-level` event trail configuration. 3. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above. 4. Repeat step 1 for each s3 bucket to update `object-level` logging of read events. 5. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.",
+          "AuditProcedure": "**From Console:**  1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/` 2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine. 3. Click `Properties` tab to see in detail bucket configuration. 4. If the current status for `Object-level` logging is set to `Disabled`, then object-level logging of read events for the selected s3 bucket is not set. 5. If the current status for `Object-level` logging is set to `Enabled`, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set. 6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events of your other S3 buckets.  **From Command Line:** 1. Run `describe-trails` command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region: ``` aws cloudtrail describe-trails --region <region-name> --output table --query trailList[*].Name ``` 2. The command output will be table of the requested trail names. 3. Run `get-event-selectors` command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources: ``` aws cloudtrail get-event-selectors --region <region-name> --trail-name <trail-name> --query EventSelectors[*].DataResources[] ``` 4. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector. 5. If the `get-event-selectors` command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. 6. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events. 7. Change the AWS region by updating the `--region` command parameter and perform the audit process for other regions.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html"
         }
@@ -753,8 +754,8 @@
           "Description": "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.",
           "RationaleStatement": "Enabling log file validation will provide additional integrity checking of CloudTrail logs.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to enable log file validation on a given trail:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. Click on `Trails` on the left navigation pane\n3. Click on target trail\n4. Within the `General details` section click `edit`\n5. Under the `Advanced settings` section\n6. Check the enable box under `Log file validation` \n7. Click `Save changes` \n\n**From Command Line:**\n```\naws cloudtrail update-trail --name <trail_name> --enable-log-file-validation\n```\nNote that periodic validation of logs using these digests can be performed by running the following command:\n```\naws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>\n```",
-          "AuditProcedure": "Perform the following on each trail to determine if log file validation is enabled:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. Click on `Trails` on the left navigation pane\n3. For Every Trail:\n- Click on a trail via the link in the _Name_ column\n- Under the `General details` section, ensure `Log file validation` is set to `Enabled` \n\n**From Command Line:**\n```\naws cloudtrail describe-trails\n```\nEnsure `LogFileValidationEnabled` is set to `true` for each trail",
+          "RemediationProcedure": "Perform the following to enable log file validation on a given trail:  **From Console:**  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. Click on target trail 4. Within the `General details` section click `edit` 5. Under the `Advanced settings` section 6. Check the enable box under `Log file validation`  7. Click `Save changes`   **From Command Line:** ``` aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation ``` Note that periodic validation of logs using these digests can be performed by running the following command: ``` aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time> ```",
+          "AuditProcedure": "Perform the following on each trail to determine if log file validation is enabled:  **From Console:**  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. Click on `Trails` on the left navigation pane 3. For Every Trail: - Click on a trail via the link in the _Name_ column - Under the `General details` section, ensure `Log file validation` is set to `Enabled`   **From Command Line:** ``` aws cloudtrail describe-trails ``` Ensure `LogFileValidationEnabled` is set to `true` for each trail",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html"
         }
@@ -774,8 +775,8 @@
           "Description": "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.",
           "RationaleStatement": "Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:\n\n1. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home)\n2. Right-click on the bucket and click Properties\n3. In the `Properties` pane, click the `Permissions` tab.\n4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.\n5. Select the row that grants permission to `Everyone` or `Any Authenticated User` \n6. Uncheck all the permissions granted to `Everyone` or `Any Authenticated User` (click `x` to delete the row).\n7. Click `Save` to save the ACL.\n8. If the `Edit bucket policy` button is present, click it.\n9. Remove any `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}.",
-          "AuditProcedure": "Perform the following to determine if any public access is granted to an S3 bucket via an ACL or S3 bucket policy:\n\n**From Console:**\n\n1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home)\n2. In the `API activity history` pane on the left, click `Trails` \n3. In the `Trails` pane, note the bucket names in the `S3 bucket` column\n4. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home)\n5. For each bucket noted in step 3, right-click on the bucket and click `Properties` \n6. In the `Properties` pane, click the `Permissions` tab.\n7. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.\n8. Ensure no rows exists that have the `Grantee` set to `Everyone` or the `Grantee` set to `Any Authenticated User.` \n9. If the `Edit bucket policy` button is present, click it to review the bucket policy.\n10. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}\n\n**From Command Line:**\n\n1. Get the name of the S3 bucket that CloudTrail is logging to:\n```\n aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'\n```\n2. Ensure the `AllUsers` principal is not granted privileges to that `<bucket>` :\n```\n aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/AllUsers` ]'\n```\n3. Ensure the `AuthenticatedUsers` principal is not granted privileges to that `<bucket>`:\n```\n aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/Authenticated Users` ]'\n```\n4. Get the S3 Bucket Policy\n```\n aws s3api get-bucket-policy --bucket <s3_bucket_for_cloudtrail> \n```\n5. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}\n\n**Note:** Principal set to \"\\*\" or {\"AWS\" : \"\\*\"} allows anonymous access.",
+          "RemediationProcedure": "Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:  1. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 2. Right-click on the bucket and click Properties 3. In the `Properties` pane, click the `Permissions` tab. 4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 5. Select the row that grants permission to `Everyone` or `Any Authenticated User`  6. Uncheck all the permissions granted to `Everyone` or `Any Authenticated User` (click `x` to delete the row). 7. Click `Save` to save the ACL. 8. If the `Edit bucket policy` button is present, click it. 9. Remove any `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}.",
+          "AuditProcedure": "Perform the following to determine if any public access is granted to an S3 bucket via an ACL or S3 bucket policy:  **From Console:**  1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the `API activity history` pane on the left, click `Trails`  3. In the `Trails` pane, note the bucket names in the `S3 bucket` column 4. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 5. For each bucket noted in step 3, right-click on the bucket and click `Properties`  6. In the `Properties` pane, click the `Permissions` tab. 7. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 8. Ensure no rows exists that have the `Grantee` set to `Everyone` or the `Grantee` set to `Any Authenticated User.`  9. If the `Edit bucket policy` button is present, click it to review the bucket policy. 10. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}  **From Command Line:**  1. Get the name of the S3 bucket that CloudTrail is logging to: ```  aws cloudtrail describe-trails --query 'trailList[*].S3BucketName' ``` 2. Ensure the `AllUsers` principal is not granted privileges to that `<bucket>` : ```  aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/AllUsers` ]' ``` 3. Ensure the `AuthenticatedUsers` principal is not granted privileges to that `<bucket>`: ```  aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/Authenticated Users` ]' ``` 4. Get the S3 Bucket Policy ```  aws s3api get-bucket-policy --bucket <s3_bucket_for_cloudtrail>  ``` 5. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to \"\\*\" or {\"AWS\" : \"\\*\"}  **Note:** Principal set to \"\\*\" or {\"AWS\" : \"\\*\"} allows anonymous access.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html"
         }
@@ -792,11 +793,11 @@
           "Section": "3. Logging",
           "Profile": "Level 1",
           "AssessmentStatus": "Automated",
-          "Description": "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.\n\nNote: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution.",
+          "Description": "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.  Note: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution.",
           "RationaleStatement": "Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.",
-          "ImpactStatement": "Note: By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:\n\n1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html",
-          "RemediationProcedure": "Perform the following to establish the prescribed state:\n\n**From Console:**\n\n1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/`\n2. Select the `Trail` the needs to be updated.\n3. Scroll down to `CloudWatch Logs`\n4. Click `Edit`\n5. Under `CloudWatch Logs` click the box `Enabled`\n6. Under `Log Group` pick new or select an existing log group\n7. Edit the `Log group name` to match the CloudTrail or pick the existing CloudWatch Group.\n8. Under `IAM Role` pick new or select an existing.\n9. Edit the `Role name` to match the CloudTrail or pick the existing IAM Role.\n10. Click `Save changes.\n\n**From Command Line:**\n```\naws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-group-arn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure CloudTrail is configured as prescribed:\n\n**From Console:**\n\n1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/`\n2. Under `Trails` , click on the CloudTrail you wish to evaluate\n3. Under the `CloudWatch Logs` section.\n4. Ensure a `CloudWatch Logs` log group is configured and listed.\n5. Under `General details` confirm `Last log file delivered` has a recent (~one day old) timestamp.\n\n**From Command Line:**\n\n1. Run the following command to get a listing of existing trails:\n```\n aws cloudtrail describe-trails\n```\n2. Ensure `CloudWatchLogsLogGroupArn` is not empty and note the value of the `Name` property.\n3. Using the noted value of the `Name` property, run the following command:\n```\n aws cloudtrail get-trail-status --name <trail_name>\n```\n4. Ensure the `LatestcloudwatchLogdDeliveryTime` property is set to a recent (~one day old) timestamp.\n\nIf the `CloudWatch Logs` log group is not setup and the delivery time is not recent refer to the remediation below.",
+          "ImpactStatement": "Note: By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:  1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html",
+          "RemediationProcedure": "Perform the following to establish the prescribed state:  **From Console:**  1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Select the `Trail` the needs to be updated. 3. Scroll down to `CloudWatch Logs` 4. Click `Edit` 5. Under `CloudWatch Logs` click the box `Enabled` 6. Under `Log Group` pick new or select an existing log group 7. Edit the `Log group name` to match the CloudTrail or pick the existing CloudWatch Group. 8. Under `IAM Role` pick new or select an existing. 9. Edit the `Role name` to match the CloudTrail or pick the existing IAM Role. 10. Click `Save changes.  **From Command Line:** ``` aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-group-arn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn> ```",
+          "AuditProcedure": "Perform the following to ensure CloudTrail is configured as prescribed:  **From Console:**  1. Login to the CloudTrail console at `https://console.aws.amazon.com/cloudtrail/` 2. Under `Trails` , click on the CloudTrail you wish to evaluate 3. Under the `CloudWatch Logs` section. 4. Ensure a `CloudWatch Logs` log group is configured and listed. 5. Under `General details` confirm `Last log file delivered` has a recent (~one day old) timestamp.  **From Command Line:**  1. Run the following command to get a listing of existing trails: ```  aws cloudtrail describe-trails ``` 2. Ensure `CloudWatchLogsLogGroupArn` is not empty and note the value of the `Name` property. 3. Using the noted value of the `Name` property, run the following command: ```  aws cloudtrail get-trail-status --name <trail_name> ``` 4. Ensure the `LatestcloudwatchLogdDeliveryTime` property is set to a recent (~one day old) timestamp.  If the `CloudWatch Logs` log group is not setup and the delivery time is not recent refer to the remediation below.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html"
         }
@@ -816,8 +817,8 @@
           "Description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.",
           "RationaleStatement": "The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.",
           "ImpactStatement": "It is recommended AWS Config be enabled in all regions.",
-          "RemediationProcedure": "To implement AWS Config configuration:\n\n**From Console:**\n\n1. Select the region you want to focus on in the top right of the console\n2. Click `Services` \n3. Click `Config` \n4. Define which resources you want to record in the selected region\n5. Choose to include global resources (IAM resources)\n6. Specify an S3 bucket in the same account or in another managed AWS account\n7. Create an SNS Topic from the same AWS account or another managed AWS account\n\n**From Command Line:**\n\n1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html).\n2. Run this command to set up the configuration recorder\n```\naws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole\n```\n3. Run this command to start the configuration recorder:\n```\nstart-configuration-recorder --configuration-recorder-name <value>\n```",
-          "AuditProcedure": "Process to evaluate AWS Config configuration per region\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/).\n2. On the top right of the console select target Region.\n3. If presented with Setup AWS Config - follow remediation procedure:\n4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears.\n5. Ensure 1 or both check-boxes under \"All Resources\" is checked.\n - Include global resources related to IAM resources - which needs to be enabled in 1 region only\n6. Ensure the correct S3 bucket has been defined.\n7. Ensure the correct SNS topic has been defined.\n8. Repeat steps 2 to 7 for each region.\n\n**From Command Line:**\n\n1. Run this command to show all AWS Config recorders and their properties:\n```\naws configservice describe-configuration-recorders\n```\n2. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`\n\nNote: There is one more parameter \"ResourceTypes\" in recordingGroup object. We don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])\n\nSample Output:\n\n```\n{\n \"ConfigurationRecorders\": [\n {\n \"recordingGroup\": {\n \"allSupported\": true,\n \"resourceTypes\": [],\n \"includeGlobalResourceTypes\": true\n },\n \"roleARN\": \"arn:aws:iam::<AWS_Account_ID>:role/service-role/<config-role-name>\",\n \"name\": \"default\"\n }\n ]\n}\n```\n\n3. Run this command to show the status for all AWS Config recorders:\n```\naws configservice describe-configuration-recorder-status\n```\n4. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`",
+          "RemediationProcedure": "To implement AWS Config configuration:  **From Console:**  1. Select the region you want to focus on in the top right of the console 2. Click `Services`  3. Click `Config`  4. Define which resources you want to record in the selected region 5. Choose to include global resources (IAM resources) 6. Specify an S3 bucket in the same account or in another managed AWS account 7. Create an SNS Topic from the same AWS account or another managed AWS account  **From Command Line:**  1. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html). 2. Run this command to set up the configuration recorder ``` aws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole ``` 3. Run this command to start the configuration recorder: ``` start-configuration-recorder --configuration-recorder-name <value> ```",
+          "AuditProcedure": "Process to evaluate AWS Config configuration per region  **From Console:**  1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/). 2. On the top right of the console select target Region. 3. If presented with Setup AWS Config - follow remediation procedure: 4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears. 5. Ensure 1 or both check-boxes under \"All Resources\" is checked.  - Include global resources related to IAM resources - which needs to be enabled in 1 region only 6. Ensure the correct S3 bucket has been defined. 7. Ensure the correct SNS topic has been defined. 8. Repeat steps 2 to 7 for each region.  **From Command Line:**  1. Run this command to show all AWS Config recorders and their properties: ``` aws configservice describe-configuration-recorders ``` 2. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`  Note: There is one more parameter \"ResourceTypes\" in recordingGroup object. We don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])  Sample Output:  ``` {  \"ConfigurationRecorders\": [  {  \"recordingGroup\": {  \"allSupported\": true,  \"resourceTypes\": [],  \"includeGlobalResourceTypes\": true  },  \"roleARN\": \"arn:aws:iam::<AWS_Account_ID>:role/service-role/<config-role-name>\",  \"name\": \"default\"  }  ] } ```  3. Run this command to show the status for all AWS Config recorders: ``` aws configservice describe-configuration-recorder-status ``` 4. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/cli/latest/reference/configservice/describe-configuration-recorder-status.html"
         }
@@ -837,8 +838,8 @@
           "Description": "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.",
           "RationaleStatement": "By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to enable S3 bucket logging:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3).\n2. Under `All Buckets` click on the target S3 bucket\n3. Click on `Properties` in the top right of the console\n4. Under `Bucket:` <s3\\_bucket\\_for\\_cloudtrail> click on `Logging` \n5. Configure bucket logging\n - Click on the `Enabled` checkbox\n - Select Target Bucket from list\n - Enter a Target Prefix\n6. Click `Save`.\n\n**From Command Line:**\n\n1. Get the name of the S3 bucket that CloudTrail is logging to:\n```\naws cloudtrail describe-trails --region <region-name> --query trailList[*].S3BucketName\n```\n2. Copy and add target bucket name at `<Logging_BucketName>`, Prefix for logfile at `<LogFilePrefix>` and optionally add an email address in the following template and save it as `<FileName.Json>`:\n```\n{\n \"LoggingEnabled\": {\n \"TargetBucket\": \"<Logging_BucketName>\",\n \"TargetPrefix\": \"<LogFilePrefix>\",\n \"TargetGrants\": [\n {\n \"Grantee\": {\n \"Type\": \"AmazonCustomerByEmail\",\n \"EmailAddress\": \"<EmailID>\"\n },\n \"Permission\": \"FULL_CONTROL\"\n }\n ]\n } \n}\n```\n3. Run the `put-bucket-logging` command with bucket name and `<FileName.Json>` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html):\n```\naws s3api put-bucket-logging --bucket <BucketName> --bucket-logging-status file://<FileName.Json>\n```",
-          "AuditProcedure": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:\n\n**From Console:**\n\n1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home)\n2. In the API activity history pane on the left, click Trails\n3. In the Trails pane, note the bucket names in the S3 bucket column\n4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3).\n5. Under `All Buckets` click on a target S3 bucket\n6. Click on `Properties` in the top right of the console\n7. Under `Bucket:` _ `<bucket_name>` _ click on `Logging` \n8. Ensure `Enabled` is checked.\n\n**From Command Line:**\n\n1. Get the name of the S3 bucket that CloudTrail is logging to:\n``` \naws cloudtrail describe-trails --query 'trailList[*].S3BucketName' \n```\n2. Ensure Bucket Logging is enabled:\n```\naws s3api get-bucket-logging --bucket <s3_bucket_for_cloudtrail>\n```\nEnsure command does not returns empty output.\n\nSample Output for a bucket with logging enabled:\n\n```\n{\n \"LoggingEnabled\": {\n \"TargetPrefix\": \"<Prefix_Test>\",\n \"TargetBucket\": \"<Bucket_name_for_Storing_Logs>\"\n }\n}\n```",
+          "RemediationProcedure": "Perform the following to enable S3 bucket logging:  **From Console:**  1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 2. Under `All Buckets` click on the target S3 bucket 3. Click on `Properties` in the top right of the console 4. Under `Bucket:` <s3\\_bucket\\_for\\_cloudtrail> click on `Logging`  5. Configure bucket logging  - Click on the `Enabled` checkbox  - Select Target Bucket from list  - Enter a Target Prefix 6. Click `Save`.  **From Command Line:**  1. Get the name of the S3 bucket that CloudTrail is logging to: ``` aws cloudtrail describe-trails --region <region-name> --query trailList[*].S3BucketName ``` 2. Copy and add target bucket name at `<Logging_BucketName>`, Prefix for logfile at `<LogFilePrefix>` and optionally add an email address in the following template and save it as `<FileName.Json>`: ``` {  \"LoggingEnabled\": {  \"TargetBucket\": \"<Logging_BucketName>\",  \"TargetPrefix\": \"<LogFilePrefix>\",  \"TargetGrants\": [  {  \"Grantee\": {  \"Type\": \"AmazonCustomerByEmail\",  \"EmailAddress\": \"<EmailID>\"  },  \"Permission\": \"FULL_CONTROL\"  }  ]  }  } ``` 3. Run the `put-bucket-logging` command with bucket name and `<FileName.Json>` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html): ``` aws s3api put-bucket-logging --bucket <BucketName> --bucket-logging-status file://<FileName.Json> ```",
+          "AuditProcedure": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:  **From Console:**  1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the API activity history pane on the left, click Trails 3. In the Trails pane, note the bucket names in the S3 bucket column 4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3). 5. Under `All Buckets` click on a target S3 bucket 6. Click on `Properties` in the top right of the console 7. Under `Bucket:` _ `<bucket_name>` _ click on `Logging`  8. Ensure `Enabled` is checked.  **From Command Line:**  1. Get the name of the S3 bucket that CloudTrail is logging to: ```  aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'  ``` 2. Ensure Bucket Logging is enabled: ``` aws s3api get-bucket-logging --bucket <s3_bucket_for_cloudtrail> ``` Ensure command does not returns empty output.  Sample Output for a bucket with logging enabled:  ``` {  \"LoggingEnabled\": {  \"TargetPrefix\": \"<Prefix_Test>\",  \"TargetBucket\": \"<Bucket_name_for_Storing_Logs>\"  } } ```",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html"
         }
@@ -858,9 +859,9 @@
           "Description": "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.",
           "RationaleStatement": "Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.",
           "ImpactStatement": "Customer created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information.",
-          "RemediationProcedure": "Perform the following to configure CloudTrail to use SSE-KMS:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. In the left navigation pane, choose `Trails` .\n3. Click on a Trail\n4. Under the `S3` section click on the edit button (pencil icon)\n5. Click `Advanced` \n6. Select an existing CMK from the `KMS key Id` drop-down menu\n - Note: Ensure the CMK is located in the same region as the S3 bucket\n - Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided [here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html) for editing the selected CMK Key policy\n7. Click `Save` \n8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files.\n9. Click `Yes` \n\n**From Command Line:**\n```\naws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key>\naws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy>\n```",
-          "AuditProcedure": "Perform the following to determine if CloudTrail is configured to use SSE-KMS:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail)\n2. In the left navigation pane, choose `Trails` .\n3. Select a Trail\n4. Under the `S3` section, ensure `Encrypt log files` is set to `Yes` and a KMS key ID is specified in the `KSM Key Id` field.\n\n**From Command Line:**\n\n1. Run the following command:\n```\n aws cloudtrail describe-trails \n```\n2. For each trail listed, SSE-KMS is enabled if the trail has a `KmsKeyId` property defined.",
-          "AdditionalInformation": "3 statements which need to be added to the CMK policy:\n\n1\\. Enable Cloudtrail to describe CMK properties\n```\n<pre class=\"programlisting\" style=\"font-style: normal;\">{\n \"Sid\": \"Allow CloudTrail access\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n },\n \"Action\": \"kms:DescribeKey\",\n \"Resource\": \"*\"\n}\n```\n2\\. Granting encrypt permissions\n```\n<pre class=\"programlisting\" style=\"font-style: normal;\">{\n \"Sid\": \"Allow CloudTrail to encrypt logs\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n },\n \"Action\": \"kms:GenerateDataKey*\",\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"kms:EncryptionContext:aws:cloudtrail:arn\": [\n \"arn:aws:cloudtrail:*:aws-account-id:trail/*\"\n ]\n }\n }\n}\n```\n3\\. Granting decrypt permissions\n```\n<pre class=\"programlisting\" style=\"font-style: normal;\">{\n \"Sid\": \"Enable CloudTrail log decrypt permissions\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::aws-account-id:user/username\"\n },\n \"Action\": \"kms:Decrypt\",\n \"Resource\": \"*\",\n \"Condition\": {\n \"Null\": {\n \"kms:EncryptionContext:aws:cloudtrail:arn\": \"false\"\n }\n }\n}\n```",
+          "RemediationProcedure": "Perform the following to configure CloudTrail to use SSE-KMS:  **From Console:**  1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Click on a Trail 4. Under the `S3` section click on the edit button (pencil icon) 5. Click `Advanced`  6. Select an existing CMK from the `KMS key Id` drop-down menu  - Note: Ensure the CMK is located in the same region as the S3 bucket  - Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided [here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html) for editing the selected CMK Key policy 7. Click `Save`  8. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files. 9. Click `Yes`   **From Command Line:** ``` aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key> aws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy> ```",
+          "AuditProcedure": "Perform the following to determine if CloudTrail is configured to use SSE-KMS:  **From Console:**  1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail) 2. In the left navigation pane, choose `Trails` . 3. Select a Trail 4. Under the `S3` section, ensure `Encrypt log files` is set to `Yes` and a KMS key ID is specified in the `KSM Key Id` field.  **From Command Line:**  1. Run the following command: ```  aws cloudtrail describe-trails  ``` 2. For each trail listed, SSE-KMS is enabled if the trail has a `KmsKeyId` property defined.",
+          "AdditionalInformation": "3 statements which need to be added to the CMK policy:  1\\. Enable Cloudtrail to describe CMK properties ``` <pre class=\"programlisting\" style=\"font-style: normal;\">{  \"Sid\": \"Allow CloudTrail access\",  \"Effect\": \"Allow\",  \"Principal\": {  \"Service\": \"cloudtrail.amazonaws.com\"  },  \"Action\": \"kms:DescribeKey\",  \"Resource\": \"*\" } ``` 2\\. Granting encrypt permissions ``` <pre class=\"programlisting\" style=\"font-style: normal;\">{  \"Sid\": \"Allow CloudTrail to encrypt logs\",  \"Effect\": \"Allow\",  \"Principal\": {  \"Service\": \"cloudtrail.amazonaws.com\"  },  \"Action\": \"kms:GenerateDataKey*\",  \"Resource\": \"*\",  \"Condition\": {  \"StringLike\": {  \"kms:EncryptionContext:aws:cloudtrail:arn\": [  \"arn:aws:cloudtrail:*:aws-account-id:trail/*\"  ]  }  } } ``` 3\\. Granting decrypt permissions ``` <pre class=\"programlisting\" style=\"font-style: normal;\">{  \"Sid\": \"Enable CloudTrail log decrypt permissions\",  \"Effect\": \"Allow\",  \"Principal\": {  \"AWS\": \"arn:aws:iam::aws-account-id:user/username\"  },  \"Action\": \"kms:Decrypt\",  \"Resource\": \"*\",  \"Condition\": {  \"Null\": {  \"kms:EncryptionContext:aws:cloudtrail:arn\": \"false\"  }  } } ```",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html:https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html"
         }
       ]
@@ -877,10 +878,10 @@
           "Profile": "Level 2",
           "AssessmentStatus": "Automated",
           "Description": "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.",
-          "RationaleStatement": "Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\nKeys should be rotated every year, or upon event that would result in the compromise of that key.",
+          "RationaleStatement": "Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. Keys should be rotated every year, or upon event that would result in the compromise of that key.",
           "ImpactStatement": "Creation, management, and storage of CMKs may require additional time from and administrator.",
-          "RemediationProcedure": "**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam).\n2. In the left navigation pane, choose `Customer managed keys` .\n3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT`\n4. Underneath the \"General configuration\" panel open the tab \"Key rotation\"\n5. Check the \"Automatically rotate this KMS key every year.\" checkbox\n\n**From Command Line:**\n\n1. Run the following command to enable key rotation:\n```\n aws kms enable-key-rotation --key-id <kms_key_id>\n```",
-          "AuditProcedure": "**From Console:**\n\n1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam).\n2. In the left navigation pane, choose `Customer managed keys`\n3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT`\n4. Underneath the `General configuration` panel open the tab `Key rotation`\n5. Ensure that the checkbox `Automatically rotate this KMS key every year.` is activated\n6. Repeat steps 3 - 5 for all customer managed CMKs where \"Key spec = SYMMETRIC_DEFAULT\"\n\n**From Command Line:**\n\n1. Run the following command to get a list of all keys and their associated `KeyIds` \n```\n aws kms list-keys\n```\n2. For each key, note the KeyId and run the following command\n```\ndescribe-key --key-id <kms_key_id>\n```\n3. If the response contains \"KeySpec = SYMMETRIC_DEFAULT\" run the following command\n```\n aws kms get-key-rotation-status --key-id <kms_key_id>\n```\n4. Ensure `KeyRotationEnabled` is set to `true`\n5. Repeat steps 2 - 4 for all remaining CMKs",
+          "RemediationProcedure": "**From Console:**  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` . 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the \"General configuration\" panel open the tab \"Key rotation\" 5. Check the \"Automatically rotate this KMS key every year.\" checkbox  **From Command Line:**  1. Run the following command to enable key rotation: ```  aws kms enable-key-rotation --key-id <kms_key_id> ```",
+          "AuditProcedure": "**From Console:**  1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam). 2. In the left navigation pane, choose `Customer managed keys` 3. Select a customer managed CMK where `Key spec = SYMMETRIC_DEFAULT` 4. Underneath the `General configuration` panel open the tab `Key rotation` 5. Ensure that the checkbox `Automatically rotate this KMS key every year.` is activated 6. Repeat steps 3 - 5 for all customer managed CMKs where \"Key spec = SYMMETRIC_DEFAULT\"  **From Command Line:**  1. Run the following command to get a list of all keys and their associated `KeyIds`  ```  aws kms list-keys ``` 2. For each key, note the KeyId and run the following command ``` describe-key --key-id <kms_key_id> ``` 3. If the response contains \"KeySpec = SYMMETRIC_DEFAULT\" run the following command ```  aws kms get-key-rotation-status --key-id <kms_key_id> ``` 4. Ensure `KeyRotationEnabled` is set to `true` 5. Repeat steps 2 - 4 for all remaining CMKs",
           "AdditionalInformation": "",
           "References": "https://aws.amazon.com/kms/pricing/:https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final"
         }
@@ -899,9 +900,9 @@
           "AssessmentStatus": "Automated",
           "Description": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.",
           "RationaleStatement": "VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.",
-          "ImpactStatement": "By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:\n\n1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html",
-          "RemediationProcedure": "Perform the following to determine if VPC Flow logs is enabled:\n\n**From Console:**\n\n1. Sign into the management console\n2. Select `Services` then `VPC` \n3. In the left navigation pane, select `Your VPCs` \n4. Select a VPC\n5. In the right pane, select the `Flow Logs` tab.\n6. If no Flow Log exists, click `Create Flow Log` \n7. For Filter, select `Reject`\n8. Enter in a `Role` and `Destination Log Group` \n9. Click `Create Log Flow` \n10. Click on `CloudWatch Logs Group` \n\n**Note:** Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.\n\n**From Command Line:**\n\n1. Create a policy document and name it as `role_policy_document.json` and paste the following content:\n```\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"test\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n}\n```\n2. Create another policy document and name it as `iam_policy.json` and paste the following content:\n```\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\":[\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:DescribeLogGroups\",\n \"logs:DescribeLogStreams\",\n \"logs:PutLogEvents\",\n \"logs:GetLogEvents\",\n \"logs:FilterLogEvents\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}\n```\n3. Run the below command to create an IAM role:\n```\naws iam create-role --role-name <aws_support_iam_role> --assume-role-policy-document file://<file-path>role_policy_document.json \n```\n4. Run the below command to create an IAM policy:\n```\naws iam create-policy --policy-name <ami-policy-name> --policy-document file://<file-path>iam-policy.json\n```\n5. Run `attach-group-policy` command using the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the command succeeds, no output is returned):\n```\naws iam attach-group-policy --policy-arn arn:aws:iam::<aws-account-id>:policy/<iam-policy-name> --group-name <group-name>\n```\n6. Run `describe-vpcs` to get the VpcId available in the selected region:\n```\naws ec2 describe-vpcs --region <region>\n```\n7. The command output should return the VPC Id available in the selected region.\n8. Run `create-flow-logs` to create a flow log for the vpc:\n```\naws ec2 create-flow-logs --resource-type VPC --resource-ids <vpc-id> --traffic-type REJECT --log-group-name <log-group-name> --deliver-logs-permission-arn <iam-role-arn>\n```\n9. Repeat step 8 for other vpcs available in the selected region.\n10. Change the region by updating --region and repeat remediation procedure for other vpcs.",
-          "AuditProcedure": "Perform the following to determine if VPC Flow logs are enabled:\n\n**From Console:**\n\n1. Sign into the management console\n2. Select `Services` then `VPC` \n3. In the left navigation pane, select `Your VPCs` \n4. Select a VPC\n5. In the right pane, select the `Flow Logs` tab.\n6. Ensure a Log Flow exists that has `Active` in the `Status` column.\n\n**From Command Line:**\n\n1. Run `describe-vpcs` command (OSX/Linux/UNIX) to list the VPC networks available in the current AWS region:\n```\naws ec2 describe-vpcs --region <region> --query Vpcs[].VpcId\n```\n2. The command output returns the `VpcId` available in the selected region.\n3. Run `describe-flow-logs` command (OSX/Linux/UNIX) using the VPC ID to determine if the selected virtual network has the Flow Logs feature enabled:\n```\naws ec2 describe-flow-logs --filter \"Name=resource-id,Values=<vpc-id>\"\n```\n4. If there are no Flow Logs created for the selected VPC, the command output will return an `empty list []`.\n5. Repeat step 3 for other VPCs available in the same region.\n6. Change the region by updating `--region` and repeat steps 1 - 5 for all the VPCs.",
+          "ImpactStatement": "By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:  1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html",
+          "RemediationProcedure": "Perform the following to determine if VPC Flow logs is enabled:  **From Console:**  1. Sign into the management console 2. Select `Services` then `VPC`  3. In the left navigation pane, select `Your VPCs`  4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. If no Flow Log exists, click `Create Flow Log`  7. For Filter, select `Reject` 8. Enter in a `Role` and `Destination Log Group`  9. Click `Create Log Flow`  10. Click on `CloudWatch Logs Group`   **Note:** Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.  **From Command Line:**  1. Create a policy document and name it as `role_policy_document.json` and paste the following content: ``` {  \"Version\": \"2012-10-17\",  \"Statement\": [  {  \"Sid\": \"test\",  \"Effect\": \"Allow\",  \"Principal\": {  \"Service\": \"ec2.amazonaws.com\"  },  \"Action\": \"sts:AssumeRole\"  }  ] } ``` 2. Create another policy document and name it as `iam_policy.json` and paste the following content: ``` {  \"Version\": \"2012-10-17\",  \"Statement\": [  {  \"Effect\": \"Allow\",  \"Action\":[  \"logs:CreateLogGroup\",  \"logs:CreateLogStream\",  \"logs:DescribeLogGroups\",  \"logs:DescribeLogStreams\",  \"logs:PutLogEvents\",  \"logs:GetLogEvents\",  \"logs:FilterLogEvents\"  ],  \"Resource\": \"*\"  }  ] } ``` 3. Run the below command to create an IAM role: ``` aws iam create-role --role-name <aws_support_iam_role> --assume-role-policy-document file://<file-path>role_policy_document.json  ``` 4. Run the below command to create an IAM policy: ``` aws iam create-policy --policy-name <ami-policy-name> --policy-document file://<file-path>iam-policy.json ``` 5. Run `attach-group-policy` command using the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the command succeeds, no output is returned): ``` aws iam attach-group-policy --policy-arn arn:aws:iam::<aws-account-id>:policy/<iam-policy-name> --group-name <group-name> ``` 6. Run `describe-vpcs` to get the VpcId available in the selected region: ``` aws ec2 describe-vpcs --region <region> ``` 7. The command output should return the VPC Id available in the selected region. 8. Run `create-flow-logs` to create a flow log for the vpc: ``` aws ec2 create-flow-logs --resource-type VPC --resource-ids <vpc-id> --traffic-type REJECT --log-group-name <log-group-name> --deliver-logs-permission-arn <iam-role-arn> ``` 9. Repeat step 8 for other vpcs available in the selected region. 10. Change the region by updating --region and repeat remediation procedure for other vpcs.",
+          "AuditProcedure": "Perform the following to determine if VPC Flow logs are enabled:  **From Console:**  1. Sign into the management console 2. Select `Services` then `VPC`  3. In the left navigation pane, select `Your VPCs`  4. Select a VPC 5. In the right pane, select the `Flow Logs` tab. 6. Ensure a Log Flow exists that has `Active` in the `Status` column.  **From Command Line:**  1. Run `describe-vpcs` command (OSX/Linux/UNIX) to list the VPC networks available in the current AWS region: ``` aws ec2 describe-vpcs --region <region> --query Vpcs[].VpcId ``` 2. The command output returns the `VpcId` available in the selected region. 3. Run `describe-flow-logs` command (OSX/Linux/UNIX) using the VPC ID to determine if the selected virtual network has the Flow Logs feature enabled: ``` aws ec2 describe-flow-logs --filter \"Name=resource-id,Values=<vpc-id>\" ``` 4. If there are no Flow Logs created for the selected VPC, the command output will return an `empty list []`. 5. Repeat step 3 for other VPCs available in the same region. 6. Change the region by updating `--region` and repeat steps 1 - 5 for all the VPCs.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html"
         }
@@ -920,10 +921,10 @@
           "AssessmentStatus": "Automated",
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.",
           "RationaleStatement": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.",
-          "ImpactStatement": "This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions.\n\nIf an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts.\n\nIn some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name \"cloudtrail_log_group_name\" --filter-name \"<unauthorized_api_calls_metric>\" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern \"{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") || ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") || ($.eventName!=\"HeadBucket\") }\"\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n**Note**: Capture the TopicArn displayed when creating the SNS Topic in Step 2.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn from step 2> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name \"unauthorized_api_calls_alarm\" --metric-name \"unauthorized_api_calls_metric\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with \"Name\":` note `<cloudtrail__name>`\n\n- From value associated with \"CloudWatchLogsLogGroupArn\" note <cloudtrail_log_group_name>\n\nExample: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*, <cloudtrail_log_group_name> would be NewGroup\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <\"Name\" as shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>` that you captured in step 1:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) || ($.sourceIPAddress!=delivery.logs.amazonaws.com) || ($.eventName!=HeadBucket) }\",\n```\n\n4. Note the \"filterName\" `<unauthorized_api_calls_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<unauthorized_api_calls_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName == `unauthorized_api_calls_metric`]\"\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "ImpactStatement": "This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions.  If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts.  In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for unauthorized API calls and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"cloudtrail_log_group_name\" --filter-name \"<unauthorized_api_calls_metric>\" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern \"{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") || ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") || ($.eventName!=\"HeadBucket\") }\" ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms. **Note**: Capture the TopicArn displayed when creating the SNS Topic in Step 2.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn from step 2> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"unauthorized_api_calls_alarm\" --metric-name \"unauthorized_api_calls_metric\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with \"Name\":` note `<cloudtrail__name>`  - From value associated with \"CloudWatchLogsLogGroupArn\" note <cloudtrail_log_group_name>  Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*, <cloudtrail_log_group_name> would be NewGroup  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <\"Name\" as shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>` that you captured in step 1:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) || ($.sourceIPAddress!=delivery.logs.amazonaws.com) || ($.eventName!=HeadBucket) }\", ```  4. Note the \"filterName\" `<unauthorized_api_calls_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<unauthorized_api_calls_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName == `unauthorized_api_calls_metric`]\" ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://aws.amazon.com/sns/:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -942,9 +943,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups.",
           "RationaleStatement": "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for security groups changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name \"<cloudtrail_log_group_name>\" --filter-name \"<security_group_changes_metric>\" --metric-transformations metricName= \"<security_group_changes_metric>\" ,metricNamespace=\"CISBenchmark\",metricValue=1 --filter-pattern \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\"\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name \"<sns_topic_name>\"\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn \"<sns_topic_arn>\" --protocol <protocol_for_sns> --notification-endpoint \"<sns_subscription_endpoints>\"\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name \"<security_group_changes_alarm>\" --metric-name \"<security_group_changes_metric>\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions \"<sns_topic_arn>\"\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\"\n```\n4. Note the `<security_group_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<security_group_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName== '<security_group_changes_metric>']\"\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for security groups changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name \"<cloudtrail_log_group_name>\" --filter-name \"<security_group_changes_metric>\" --metric-transformations metricName= \"<security_group_changes_metric>\" ,metricNamespace=\"CISBenchmark\",metricValue=1 --filter-pattern \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name \"<sns_topic_name>\" ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn \"<sns_topic_arn>\" --protocol <protocol_for_sns> --notification-endpoint \"<sns_subscription_endpoints>\" ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name \"<security_group_changes_alarm>\" --metric-name \"<security_group_changes_metric>\" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace \"CISBenchmark\" --alarm-actions \"<sns_topic_arn>\" ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }\" ``` 4. Note the `<security_group_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<security_group_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query \"MetricAlarms[?MetricName== '<security_group_changes_metric>']\" ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -963,9 +964,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.",
           "RationaleStatement": "Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for NACL changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<nacl_changes_metric>` --metric-transformations metricName= `<nacl_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<nacl_changes_alarm>` --metric-name `<nacl_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }\"\n```\n4. Note the `<nacl_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<nacl_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<nacl_changes_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for NACL changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<nacl_changes_metric>` --metric-transformations metricName= `<nacl_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<nacl_changes_alarm>` --metric-name `<nacl_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }\" ``` 4. Note the `<nacl_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<nacl_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<nacl_changes_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -984,9 +985,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.",
           "RationaleStatement": "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<network_gw_changes_metric>` --metric-transformations metricName= `<network_gw_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<network_gw_changes_alarm>` --metric-name `<network_gw_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }\"\n```\n4. Note the `<network_gw_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<network_gw_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<network_gw_changes_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for network gateways changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<network_gw_changes_metric>` --metric-transformations metricName= `<network_gw_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<network_gw_changes_alarm>` --metric-name `<network_gw_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }\" ``` 4. Note the `<network_gw_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<network_gw_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<network_gw_changes_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1005,9 +1006,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.",
           "RationaleStatement": "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for route table changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<route_table_changes_metric>` --metric-transformations metricName= `<route_table_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<route_table_changes_alarm>` --metric-name `<route_table_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }\"\n```\n\n4. Note the `<route_table_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<route_table_changes_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<route_table_changes_metric>`]'\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for route table changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<route_table_changes_metric>` --metric-transformations metricName= `<route_table_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<route_table_changes_alarm>` --metric-name `<route_table_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }\" ```  4. Note the `<route_table_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<route_table_changes_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<route_table_changes_metric>`]' ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1026,9 +1027,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.",
           "RationaleStatement": "Monitoring changes to VPC will help ensure VPC traffic flow is not getting impacted.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for VPC changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<vpc_changes_metric>` --metric-transformations metricName= `<vpc_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<vpc_changes_alarm>` --metric-name `<vpc_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }\"\n```\n\n4. Note the `<vpc_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<vpc_changes_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<vpc_changes_metric>`]'\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for VPC changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<vpc_changes_metric>` --metric-transformations metricName= `<vpc_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<vpc_changes_alarm>` --metric-name `<vpc_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }\" ```  4. Note the `<vpc_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<vpc_changes_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<vpc_changes_metric>`]' ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1047,8 +1048,8 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account.",
           "RationaleStatement": "Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for AWS Organizations changes and the `<cloudtrail_log_group_name>` taken from audit step 1:\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<organizations_changes>` --metric-transformations metricName= `<organizations_changes>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }'\n```\n**Note:** You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify:\n```\naws sns create-topic --name <sns_topic_name>\n```\n**Note:** you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2:\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n**Note:** you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2:\n```\naws cloudwatch put-metric-alarm --alarm-name `<organizations_changes>` --metric-name `<organizations_changes>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "1. Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n- Identify the log group name configured for use with active multi-region CloudTrail:\n- List all CloudTrails: \n```\naws cloudtrail describe-trails\n```\n- Identify Multi region Cloudtrails, Trails with `\"IsMultiRegionTrail\"` set to true\n- From value associated with CloudWatchLogsLogGroupArn note <cloudtrail_log_group_name>\n **Example:** for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*, <cloudtrail_log_group_name> would be NewGroup\n\n- Ensure Identified Multi region CloudTrail is active:\n```\naws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>\n```\nEnsure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events:\n```\naws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>\n```\n- Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to true and `ReadWriteType` set to `All`.\n\n2. Get a list of all associated metric filters for this <cloudtrail_log_group_name>:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }\"\n```\n4. Note the `<organizations_changes>` value associated with the filterPattern found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<organizations_changes>` captured in step 4:\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<organizations_changes>`]'\n```\n6. Note the AlarmActions value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic:\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\nExample of valid \"SubscriptionArn\": \n```\n\"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for AWS Organizations changes and the `<cloudtrail_log_group_name>` taken from audit step 1: ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<organizations_changes>` --metric-transformations metricName= `<organizations_changes>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }' ``` **Note:** You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify: ``` aws sns create-topic --name <sns_topic_name> ``` **Note:** you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2: ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ``` **Note:** you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2: ``` aws cloudwatch put-metric-alarm --alarm-name `<organizations_changes>` --metric-name `<organizations_changes>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "1. Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured: - Identify the log group name configured for use with active multi-region CloudTrail: - List all CloudTrails:  ``` aws cloudtrail describe-trails ``` - Identify Multi region Cloudtrails, Trails with `\"IsMultiRegionTrail\"` set to true - From value associated with CloudWatchLogsLogGroupArn note <cloudtrail_log_group_name>  **Example:** for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*, <cloudtrail_log_group_name> would be NewGroup  - Ensure Identified Multi region CloudTrail is active: ``` aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail> ``` Ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events: ``` aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails> ``` - Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to true and `ReadWriteType` set to `All`.  2. Get a list of all associated metric filters for this <cloudtrail_log_group_name>: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) }\" ``` 4. Note the `<organizations_changes>` value associated with the filterPattern found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<organizations_changes>` captured in step 4: ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<organizations_changes>`]' ``` 6. Note the AlarmActions value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic: ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. Example of valid \"SubscriptionArn\":  ``` \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html"
         }
@@ -1068,8 +1069,8 @@
           "Description": "Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products.",
           "RationaleStatement": "AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices - enabling you to quickly assess the security posture across your AWS accounts.",
           "ImpactStatement": "It is recommended AWS Security Hub be enabled in all regions. AWS Security Hub requires AWS Config to be enabled.",
-          "RemediationProcedure": "To grant the permissions required to enable Security Hub, attach the Security Hub managed policy AWSSecurityHubFullAccess to an IAM user, group, or role.\n\nEnabling Security Hub\n\n**From Console:**\n\n1. Use the credentials of the IAM identity to sign in to the Security Hub console.\n2. When you open the Security Hub console for the first time, choose Enable AWS Security Hub.\n3. On the welcome page, Security standards list the security standards that Security Hub supports.\n4. Choose Enable Security Hub.\n\n**From Command Line:**\n\n1. Run the enable-security-hub command. To enable the default standards, include `--enable-default-standards`.\n```\naws securityhub enable-security-hub --enable-default-standards\n```\n\n2. To enable the security hub without the default standards, include `--no-enable-default-standards`.\n```\naws securityhub enable-security-hub --no-enable-default-standards\n```",
-          "AuditProcedure": "The process to evaluate AWS Security Hub configuration per region \n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.\n2. On the top right of the console, select the target Region.\n3. If presented with the Security Hub > Summary page then Security Hub is set-up for the selected region.\n4. If presented with Setup Security Hub or Get Started With Security Hub - follow the online instructions.\n5. Repeat steps 2 to 4 for each region.",
+          "RemediationProcedure": "To grant the permissions required to enable Security Hub, attach the Security Hub managed policy AWSSecurityHubFullAccess to an IAM user, group, or role.  Enabling Security Hub  **From Console:**  1. Use the credentials of the IAM identity to sign in to the Security Hub console. 2. When you open the Security Hub console for the first time, choose Enable AWS Security Hub. 3. On the welcome page, Security standards list the security standards that Security Hub supports. 4. Choose Enable Security Hub.  **From Command Line:**  1. Run the enable-security-hub command. To enable the default standards, include `--enable-default-standards`. ``` aws securityhub enable-security-hub --enable-default-standards ```  2. To enable the security hub without the default standards, include `--no-enable-default-standards`. ``` aws securityhub enable-security-hub --no-enable-default-standards ```",
+          "AuditProcedure": "The process to evaluate AWS Security Hub configuration per region   **From Console:**  1. Sign in to the AWS Management Console and open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/. 2. On the top right of the console, select the target Region. 3. If presented with the Security Hub > Summary page then Security Hub is set-up for the selected region. 4. If presented with Setup Security Hub or Get Started With Security Hub - follow the online instructions. 5. Repeat steps 2 to 4 for each region.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-get-started.html:https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-enable.html#securityhub-enable-api:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/securityhub/enable-security-hub.html"
         }
@@ -1089,9 +1090,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).",
           "RationaleStatement": "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the `<cloudtrail_log_group_name>` taken from audit step 1.\n\nUse Command: \n\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }'\n```\n\nOr (To reduce false positives incase Single Sign-On (SSO) is used in organization):\n\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<no_mfa_console_signin_alarm>` --metric-name `<no_mfa_console_signin_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all `CloudTrails`:\n\n```\naws cloudtrail describe-trails\n```\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region `CloudTrail` is active\n\n```\naws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>\n```\n\nEnsure in the output that `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region 'Cloudtrail' captures all Management Events\n\n```\naws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>\n```\n\nEnsure in the output there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }\"\n```\n\nOr (To reduce false positives incase Single Sign-On (SSO) is used in organization):\n\n```\n\"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }\"\n```\n\n4. Note the `<no_mfa_console_signin_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<no_mfa_console_signin_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<no_mfa_console_signin_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored\n-Filter pattern set to `{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\"}` reduces false alarms raised when user logs in via SSO account.",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the `<cloudtrail_log_group_name>` taken from audit step 1.  Use Command:   ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }' ```  Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):  ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<no_mfa_console_signin_alarm>` --metric-name `<no_mfa_console_signin_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all `CloudTrails`:  ``` aws cloudtrail describe-trails ```  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region `CloudTrail` is active  ``` aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail> ```  Ensure in the output that `IsLogging` is set to `TRUE`  - Ensure identified Multi-region 'Cloudtrail' captures all Management Events  ``` aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails> ```  Ensure in the output there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }\" ```  Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):  ``` \"filterPattern\": \"{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }\" ```  4. Note the `<no_mfa_console_signin_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<no_mfa_console_signin_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<no_mfa_console_signin_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored -Filter pattern set to `{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\"}` reduces false alarms raised when user logs in via SSO account.",
           "References": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1110,9 +1111,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for 'root' login attempts.",
           "RationaleStatement": "Monitoring for 'root' account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for 'Root' account usage and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<root_usage_metric>` --metric-transformations metricName= `<root_usage_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<root_usage_alarm>` --metric-name `<root_usage_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails:\n\n`aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }\"\n```\n\n4. Note the `<root_usage_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<root_usage_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<root_usage_metric>`]'\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "**Configuring log metric filter and alarm on Multi-region (global) CloudTrail**\n\n- ensures that activities from all regions (used as well as unused) are monitored\n\n- ensures that activities on all supported global services are monitored\n\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for 'Root' account usage and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<root_usage_metric>` --metric-transformations metricName= `<root_usage_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<root_usage_alarm>` --metric-name `<root_usage_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails:  `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }\" ```  4. Note the `<root_usage_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<root_usage_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<root_usage_metric>`]' ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "**Configuring log metric filter and alarm on Multi-region (global) CloudTrail**  - ensures that activities from all regions (used as well as unused) are monitored  - ensures that activities on all supported global services are monitored  - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1131,9 +1132,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.",
           "RationaleStatement": "Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<iam_changes_metric>` --metric-transformations metricName= `<iam_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name `<iam_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails:\n\n`aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}\"\n```\n\n4. Note the `<iam_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<iam_changes_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<iam_changes_metric>`]'\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for IAM policy changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name `<cloudtrail_log_group_name>` --filter-name `<iam_changes_metric>` --metric-transformations metricName= `<iam_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<iam_changes_alarm>` --metric-name `<iam_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails:  `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}\" ```  4. Note the `<iam_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<iam_changes_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<iam_changes_metric>`]' ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1152,9 +1153,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.",
           "RationaleStatement": "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<cloudtrail_cfg_changes_metric>` --metric-transformations metricName= `<cloudtrail_cfg_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<cloudtrail_cfg_changes_alarm>` --metric-name `<cloudtrail_cfg_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n\n3. Ensure the output from the above command contains the following:\n\n```\n\"filterPattern\": \"{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }\"\n```\n\n4. Note the `<cloudtrail_cfg_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<cloudtrail_cfg_changes_metric>` captured in step 4.\n\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<cloudtrail_cfg_changes_metric>`]'\n```\n\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<cloudtrail_cfg_changes_metric>` --metric-transformations metricName= `<cloudtrail_cfg_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<cloudtrail_cfg_changes_alarm>` --metric-name `<cloudtrail_cfg_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:  ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ```  3. Ensure the output from the above command contains the following:  ``` \"filterPattern\": \"{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }\" ```  4. Note the `<cloudtrail_cfg_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<cloudtrail_cfg_changes_metric>` captured in step 4.  ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<cloudtrail_cfg_changes_metric>`]' ```  6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic  ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN.  ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1173,9 +1174,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.",
           "RationaleStatement": "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<console_signin_failure_metric>` --metric-transformations metricName= `<console_signin_failure_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }'\n```\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<console_signin_failure_alarm>` --metric-name `<console_signin_failure_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }\"\n```\n\n4. Note the `<console_signin_failure_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<console_signin_failure_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<console_signin_failure_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for AWS management Console Login Failures and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<console_signin_failure_metric>` --metric-transformations metricName= `<console_signin_failure_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<console_signin_failure_alarm>` --metric-name `<console_signin_failure_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }\" ```  4. Note the `<console_signin_failure_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<console_signin_failure_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<console_signin_failure_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1194,9 +1195,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.",
           "RationaleStatement": "Data encrypted with disabled or deleted keys will no longer be accessible.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<disable_or_delete_cmk_changes_metric>` --metric-transformations metricName= `<disable_or_delete_cmk_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }'\n```\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<disable_or_delete_cmk_changes_alarm>` --metric-name `<disable_or_delete_cmk_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }\"\n```\n4. Note the `<disable_or_delete_cmk_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<disable_or_delete_cmk_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<disable_or_delete_cmk_changes_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for disabled or scheduled for deletion CMK's and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<disable_or_delete_cmk_changes_metric>` --metric-transformations metricName= `<disable_or_delete_cmk_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }' ``` **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ``` **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ``` **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<disable_or_delete_cmk_changes_alarm>` --metric-name `<disable_or_delete_cmk_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }\" ``` 4. Note the `<disable_or_delete_cmk_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<disable_or_delete_cmk_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<disable_or_delete_cmk_changes_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1215,9 +1216,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.",
           "RationaleStatement": "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<s3_bucket_policy_changes_metric>` --metric-transformations metricName= `<s3_bucket_policy_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to the topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<s3_bucket_policy_changes_alarm>` --metric-name `<s3_bucket_policy_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }\"\n```\n4. Note the `<s3_bucket_policy_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<s3_bucket_policy_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<s3_bucket_policy_changes_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for S3 bucket policy changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<s3_bucket_policy_changes_metric>` --metric-transformations metricName= `<s3_bucket_policy_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to the topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<s3_bucket_policy_changes_alarm>` --metric-name `<s3_bucket_policy_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }\" ``` 4. Note the `<s3_bucket_policy_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<s3_bucket_policy_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<s3_bucket_policy_changes_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1236,9 +1237,9 @@
           "Description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.",
           "RationaleStatement": "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:\n\n1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the `<cloudtrail_log_group_name>` taken from audit step 1.\n```\naws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<aws_config_changes_metric>` --metric-transformations metricName= `<aws_config_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }'\n```\n\n**Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.\n\n2. Create an SNS topic that the alarm will notify\n```\naws sns create-topic --name <sns_topic_name>\n```\n\n**Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.\n\n3. Create an SNS subscription to topic created in step 2\n```\naws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>\n```\n\n**Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.\n\n4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2\n```\naws cloudwatch put-metric-alarm --alarm-name `<aws_config_changes_alarm>` --metric-name `<aws_config_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>\n```",
-          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:\n\n1. Identify the log group name configured for use with active multi-region CloudTrail:\n\n- List all CloudTrails: `aws cloudtrail describe-trails`\n\n- Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`\n\n- From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`\n\nExample: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`\n\n- Ensure Identified Multi region CloudTrail is active\n\n`aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`\n\nensure `IsLogging` is set to `TRUE`\n\n- Ensure identified Multi-region Cloudtrail captures all Management Events\n\n`aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`\n\nEnsure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`\n\n2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`:\n```\naws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\"\n```\n3. Ensure the output from the above command contains the following:\n```\n\"filterPattern\": \"{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }\"\n```\n4. Note the `<aws_config_changes_metric>` value associated with the `filterPattern` found in step 3.\n\n5. Get a list of CloudWatch alarms and filter on the `<aws_config_changes_metric>` captured in step 4.\n```\naws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<aws_config_changes_metric>`]'\n```\n6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.\n\n7. Ensure there is at least one active subscriber to the SNS topic\n```\naws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn> \n```\nat least one subscription should have \"SubscriptionArn\" with valid aws ARN.\n```\nExample of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\"\n```",
-          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail\n- ensures that activities from all regions (used as well as unused) are monitored\n- ensures that activities on all supported global services are monitored\n- ensures that all management events across all regions are monitored",
+          "RemediationProcedure": "Perform the following to setup the metric filter, alarm, SNS topic, and subscription:  1. Create a metric filter based on filter pattern provided which checks for AWS Configuration changes and the `<cloudtrail_log_group_name>` taken from audit step 1. ``` aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<aws_config_changes_metric>` --metric-transformations metricName= `<aws_config_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }' ```  **Note**: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.  2. Create an SNS topic that the alarm will notify ``` aws sns create-topic --name <sns_topic_name> ```  **Note**: you can execute this command once and then re-use the same topic for all monitoring alarms.  3. Create an SNS subscription to topic created in step 2 ``` aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints> ```  **Note**: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.  4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 ``` aws cloudwatch put-metric-alarm --alarm-name `<aws_config_changes_alarm>` --metric-name `<aws_config_changes_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn> ```",
+          "AuditProcedure": "Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:  1. Identify the log group name configured for use with active multi-region CloudTrail:  - List all CloudTrails: `aws cloudtrail describe-trails`  - Identify Multi region Cloudtrails: `Trails with \"IsMultiRegionTrail\" set to true`  - From value associated with CloudWatchLogsLogGroupArn note `<cloudtrail_log_group_name>`  Example: for CloudWatchLogsLogGroupArn that looks like `arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*`, `<cloudtrail_log_group_name>` would be `NewGroup`  - Ensure Identified Multi region CloudTrail is active  `aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>`  ensure `IsLogging` is set to `TRUE`  - Ensure identified Multi-region Cloudtrail captures all Management Events  `aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>`  Ensure there is at least one Event Selector for a Trail with `IncludeManagementEvents` set to `true` and `ReadWriteType` set to `All`  2. Get a list of all associated metric filters for this `<cloudtrail_log_group_name>`: ``` aws logs describe-metric-filters --log-group-name \"<cloudtrail_log_group_name>\" ``` 3. Ensure the output from the above command contains the following: ``` \"filterPattern\": \"{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }\" ``` 4. Note the `<aws_config_changes_metric>` value associated with the `filterPattern` found in step 3.  5. Get a list of CloudWatch alarms and filter on the `<aws_config_changes_metric>` captured in step 4. ``` aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<aws_config_changes_metric>`]' ``` 6. Note the `AlarmActions` value - this will provide the SNS topic ARN value.  7. Ensure there is at least one active subscriber to the SNS topic ``` aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>  ``` at least one subscription should have \"SubscriptionArn\" with valid aws ARN. ``` Example of valid \"SubscriptionArn\": \"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>\" ```",
+          "AdditionalInformation": "Configuring log metric filter and alarm on Multi-region (global) CloudTrail - ensures that activities from all regions (used as well as unused) are monitored - ensures that activities on all supported global services are monitored - ensures that all management events across all regions are monitored",
           "References": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html:https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html"
         }
       ]
@@ -1259,8 +1260,8 @@
           "Description": "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.",
           "RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.",
           "ImpactStatement": "",
-          "RemediationProcedure": "**From Console:**\n\nPerform the following:\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click `Network ACLs`\n3. For each network ACL to remediate, perform the following:\n - Select the network ACL\n - Click the `Inbound Rules` tab\n - Click `Edit inbound rules`\n - Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule\n - Click `Save`",
-          "AuditProcedure": "**From Console:**\n\nPerform the following to determine if the account is configured as prescribed:\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click `Network ACLs`\n3. For each network ACL, perform the following:\n - Select the network ACL\n - Click the `Inbound Rules` tab\n - Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` and shows `ALLOW`\n\n**Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports",
+          "RemediationProcedure": "**From Console:**  Perform the following: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL to remediate, perform the following:  - Select the network ACL  - Click the `Inbound Rules` tab  - Click `Edit inbound rules`  - Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule  - Click `Save`",
+          "AuditProcedure": "**From Console:**  Perform the following to determine if the account is configured as prescribed: 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 2. In the left pane, click `Network ACLs` 3. For each network ACL, perform the following:  - Select the network ACL  - Click the `Inbound Rules` tab  - Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` and shows `ALLOW`  **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison"
         }
@@ -1282,8 +1283,8 @@
           "Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.",
           "RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.",
           "ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the 0.0.0.0/0 inbound rule.",
-          "RemediationProcedure": "Perform the following to implement the prescribed state:\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. In the left pane, click `Security Groups` \n3. For each security group, perform the following:\n1. Select the security group\n2. Click the `Inbound Rules` tab\n3. Click the `Edit inbound rules` button\n4. Identify the rules to be edited or removed\n5. Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule\n6. Click `Save rules`",
-          "AuditProcedure": "Perform the following to determine if the account is configured as prescribed:\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. In the left pane, click `Security Groups` \n3. For each security group, perform the following:\n1. Select the security group\n2. Click the `Inbound Rules` tab\n3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0` \n\n**Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.",
+          "RemediationProcedure": "Perform the following to implement the prescribed state:  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`  3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`",
+          "AuditProcedure": "Perform the following to determine if the account is configured as prescribed:  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`  3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `0.0.0.0/0`   **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule"
         }
@@ -1305,8 +1306,8 @@
           "Description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`.",
           "RationaleStatement": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.",
           "ImpactStatement": "When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the ::/0 inbound rule.",
-          "RemediationProcedure": "Perform the following to implement the prescribed state:\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. In the left pane, click `Security Groups` \n3. For each security group, perform the following:\n1. Select the security group\n2. Click the `Inbound Rules` tab\n3. Click the `Edit inbound rules` button\n4. Identify the rules to be edited or removed\n5. Either A) update the Source field to a range other than ::/0, or, B) Click `Delete` to remove the offending inbound rule\n6. Click `Save rules`",
-          "AuditProcedure": "Perform the following to determine if the account is configured as prescribed:\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. In the left pane, click `Security Groups` \n3. For each security group, perform the following:\n1. Select the security group\n2. Click the `Inbound Rules` tab\n3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `::/0` \n\n**Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.",
+          "RemediationProcedure": "Perform the following to implement the prescribed state:  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`  3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Click the `Edit inbound rules` button 4. Identify the rules to be edited or removed 5. Either A) update the Source field to a range other than ::/0, or, B) Click `Delete` to remove the offending inbound rule 6. Click `Save rules`",
+          "AuditProcedure": "Perform the following to determine if the account is configured as prescribed:  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. In the left pane, click `Security Groups`  3. For each security group, perform the following: 1. Select the security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exists that has a port range that includes port `22`, `3389`, or other remote server administration ports for your environment and has a `Source` of `::/0`   **Note:** A Port value of `ALL` or a port range such as `0-1024` are inclusive of port `22`, `3389`, and other remote server administration ports.",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule"
         }
@@ -1323,11 +1324,11 @@
           "Section": "5. Networking",
           "Profile": "Level 2",
           "AssessmentStatus": "Automated",
-          "Description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.\n\nThe default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.\n\n**NOTE:** When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.",
+          "Description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.  The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.  **NOTE:** When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.",
           "RationaleStatement": "Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.",
           "ImpactStatement": "Implementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.",
-          "RemediationProcedure": "Security Group Members\n\nPerform the following to implement the prescribed state:\n\n1. Identify AWS resources that exist within the default security group\n2. Create a set of least privilege security groups for those resources\n3. Place the resources in those security groups\n4. Remove the resources noted in #1 from the default security group\n\nSecurity Group State\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:\n3. In the left pane, click `Security Groups` \n4. For each default security group, perform the following:\n1. Select the `default` security group\n2. Click the `Inbound Rules` tab\n3. Remove any inbound rules\n4. Click the `Outbound Rules` tab\n5. Remove any Outbound rules\n\nRecommended:\n\nIAM groups allow you to edit the \"name\" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to \"DO NOT USE. DO NOT ADD RULES\"",
-          "AuditProcedure": "Perform the following to determine if the account is configured as prescribed:\n\nSecurity Group State\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:\n3. In the left pane, click `Security Groups` \n4. For each default security group, perform the following:\n1. Select the `default` security group\n2. Click the `Inbound Rules` tab\n3. Ensure no rule exist\n4. Click the `Outbound Rules` tab\n5. Ensure no rules exist\n\nSecurity Group Members\n\n1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home)\n2. Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region:\n3. In the left pane, click `Security Groups` \n4. Copy the id of the default security group.\n5. Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home\n6. In the filter column type 'Security Group ID : < security group id from #4 >'",
+          "RemediationProcedure": "Security Group Members  Perform the following to implement the prescribed state:  1. Identify AWS resources that exist within the default security group 2. Create a set of least privilege security groups for those resources 3. Place the resources in those security groups 4. Remove the resources noted in #1 from the default security group  Security Group State  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`  4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Remove any inbound rules 4. Click the `Outbound Rules` tab 5. Remove any Outbound rules  Recommended:  IAM groups allow you to edit the \"name\" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to \"DO NOT USE. DO NOT ADD RULES\"",
+          "AuditProcedure": "Perform the following to determine if the account is configured as prescribed:  Security Group State  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`  4. For each default security group, perform the following: 1. Select the `default` security group 2. Click the `Inbound Rules` tab 3. Ensure no rule exist 4. Click the `Outbound Rules` tab 5. Ensure no rules exist  Security Group Members  1. Login to the AWS Management Console at [https://console.aws.amazon.com/vpc/home](https://console.aws.amazon.com/vpc/home) 2. Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region: 3. In the left pane, click `Security Groups`  4. Copy the id of the default security group. 5. Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home 6. In the filter column type 'Security Group ID : < security group id from #4 >'",
           "AdditionalInformation": "",
           "References": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group"
         }
@@ -1347,8 +1348,8 @@
           "Description": "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.",
           "RationaleStatement": "Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.",
           "ImpactStatement": "",
-          "RemediationProcedure": "Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.\n\n**From Command Line:**\n\n1. For each _<route\\_table\\_id>_ containing routes non compliant with your routing policy (which grants more than desired \"least access\"), delete the non compliant route:\n```\naws ec2 delete-route --route-table-id <route_table_id> --destination-cidr-block <non_compliant_destination_CIDR>\n```\n 2. Create a new compliant route:\n```\naws ec2 create-route --route-table-id <route_table_id> --destination-cidr-block <compliant_destination_CIDR> --vpc-peering-connection-id <peering_connection_id>\n```",
-          "AuditProcedure": "Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.\n\n**From Command Line:**\n\n1. List all the route tables from a VPC and check if \"GatewayId\" is pointing to a _<peering\\_connection\\_id>_ (e.g. pcx-1a2b3c4d) and if \"DestinationCidrBlock\" is as specific as desired.\n```\naws ec2 describe-route-tables --filter \"Name=vpc-id,Values=<vpc_id>\" --query \"RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}\"\n```",
+          "RemediationProcedure": "Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.  **From Command Line:**  1. For each _<route\\_table\\_id>_ containing routes non compliant with your routing policy (which grants more than desired \"least access\"), delete the non compliant route: ``` aws ec2 delete-route --route-table-id <route_table_id> --destination-cidr-block <non_compliant_destination_CIDR> ```  2. Create a new compliant route: ``` aws ec2 create-route --route-table-id <route_table_id> --destination-cidr-block <compliant_destination_CIDR> --vpc-peering-connection-id <peering_connection_id> ```",
+          "AuditProcedure": "Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.  **From Command Line:**  1. List all the route tables from a VPC and check if \"GatewayId\" is pointing to a _<peering\\_connection\\_id>_ (e.g. pcx-1a2b3c4d) and if \"DestinationCidrBlock\" is as specific as desired. ``` aws ec2 describe-route-tables --filter \"Name=vpc-id,Values=<vpc_id>\" --query \"RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}\" ```",
           "AdditionalInformation": "If an organization has AWS transit gateway implemented in their VPC architecture they should look to apply the recommendation above for \"least access\" routing architecture at the AWS transit gateway level in combination with what must be implemented at the standard VPC route table. More specifically, to route traffic between two or more VPCs via a transit gateway VPCs must have an attachment to a transit gateway route table as well as a route, therefore to avoid routing traffic between VPCs an attachment to the transit gateway route table should only be added where there is an intention to route traffic between the VPCs. As transit gateways are able to host multiple route tables it is possible to group VPCs by attaching them to a common route table.",
           "References": "https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html:https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-peering-connection.html"
         }
@@ -1368,8 +1369,8 @@
           "Description": "When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method).",
           "RationaleStatement": "Allowing Version 1 of the service may open EC2 instances to Server-Side Request Forgery (SSRF) attacks, so Amazon recommends utilizing Version 2 for better instance security.",
           "ImpactStatement": "",
-          "RemediationProcedure": "From Console:\n 1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/\n2. Under the Instances menu, select Instances.\n 3. For each Instance, select the instance, then choose Actions > Modify instance metadata options.\n 4. If the Instance metadata service is enabled, set IMDSv2 to Required.\n\n From Command Line:\n ```\n aws ec2 modify-instance-metadata-options --instance-id <instance_id> --http-tokens required\n ```\n",
-          "AuditProcedure": "From Console:\n 1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/\n 2. Under the Instances menu, select Instances.\n 3. For each Instance, select the instance, then choose Actions > Modify instance metadata options.\n 4. If the Instance metadata service is enabled, verify whether IMDSv2 is set to required.\n\n From Command Line:\n 1. Use the describe-instances CLI command\n 2. Ensure for all ec2 instances that the metadata-options.http-tokens setting is set to required.\n 3. Repeat for all active regions.\n ```\n aws ec2 describe-instances --filters \"\"Name=metadata-options.http-tokens\",\"Values=optional\" \"\"Name=metadata-options.state\"\",\"\"Values=applied\"\" --query \"\"Reservations[*].Instances[*].\"\"\n```\n",
+          "RemediationProcedure": "From Console:  1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/ 2. Under the Instances menu, select Instances.  3. For each Instance, select the instance, then choose Actions > Modify instance metadata options.  4. If the Instance metadata service is enabled, set IMDSv2 to Required.   From Command Line:  ```  aws ec2 modify-instance-metadata-options --instance-id <instance_id> --http-tokens required  ``` ",
+          "AuditProcedure": "From Console:  1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/  2. Under the Instances menu, select Instances.  3. For each Instance, select the instance, then choose Actions > Modify instance metadata options.  4. If the Instance metadata service is enabled, verify whether IMDSv2 is set to required.   From Command Line:  1. Use the describe-instances CLI command  2. Ensure for all ec2 instances that the metadata-options.http-tokens setting is set to required.  3. Repeat for all active regions.  ```  aws ec2 describe-instances --filters \"\"Name=metadata-options.http-tokens\",\"Values=optional\" \"\"Name=metadata-options.state\"\",\"\"Values=applied\"\" --query \"\"Reservations[*].Instances[*].\"\" ``` ",
           "AdditionalInformation": "",
           "References": "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/:https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html"
         }

prowler/compliance/aws/cisa_aws.json

@@ -19,7 +19,7 @@
         "ec2_instance_managed_by_ssm",
         "ec2_instance_older_than_specific_days",
         "ssm_managed_compliant_patching",
-        "ec2_elastic_ip_unassgined"
+        "ec2_elastic_ip_unassigned"
       ]
     },
     {
@@ -51,9 +51,9 @@
         }
       ],
       "Checks": [
-        "apigateway_client_certificate_enabled",
-        "apigateway_logging_enabled",
-        "apigateway_waf_acl_attached",
+        "apigateway_restapi_client_certificate_enabled",
+        "apigateway_restapi_logging_enabled",
+        "apigateway_restapi_waf_acl_attached",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -90,13 +90,15 @@
         "iam_no_custom_policy_permissive_role_assumption",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_root_hardware_mfa_enabled",
         "iam_root_mfa_enabled",
         "iam_no_root_access_key",
         "iam_rotate_access_key_90_days",
         "iam_user_mfa_enabled_console_access",
         "iam_user_mfa_enabled_console_access",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "kms_cmk_rotation_enabled",
         "awslambda_function_not_publicly_accessible",
         "awslambda_function_not_publicly_accessible",
@@ -147,7 +149,7 @@
         }
       ],
       "Checks": [
-        "ec2_elastic_ip_unassgined",
+        "ec2_elastic_ip_unassigned",
         "vpc_flow_logs_enabled"
       ]
     },
@@ -184,6 +186,7 @@
         "iam_no_custom_policy_permissive_role_assumption",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key"
       ]
     },
@@ -247,8 +250,8 @@
       ],
       "Checks": [
         "acm_certificates_expiration_check",
-        "apigateway_client_certificate_enabled",
-        "apigateway_logging_enabled",
+        "apigateway_restapi_client_certificate_enabled",
+        "apigateway_restapi_logging_enabled",
         "efs_have_backup_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",

prowler/compliance/aws/ens_rd2022_aws.json

@@ -129,6 +129,7 @@
         "iam_policy_allows_privilege_escalation",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "organizations_scp_check_deny_regions",
         "organizations_account_part_of_organizations"
       ]
@@ -157,7 +158,8 @@
         "iam_policy_allows_privilege_escalation",
         "iam_no_custom_policy_permissive_role_assumption",
         "iam_aws_attached_policy_no_administrative_privileges",
-        "iam_customer_attached_policy_no_administrative_privileges"
+        "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges"
       ]
     },
     {
@@ -231,7 +233,8 @@
       ],
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
-        "iam_customer_attached_policy_no_administrative_privileges"
+        "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges"
       ]
     },
     {
@@ -303,7 +306,8 @@
         }
       ],
       "Checks": [
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "iam_rotate_access_key_90_days"
       ]
     },
@@ -329,7 +333,8 @@
       ],
       "Checks": [
         "iam_password_policy_expires_passwords_within_90_days_or_less",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "iam_rotate_access_key_90_days"
       ]
     },
@@ -482,8 +487,8 @@
         }
       ],
       "Checks": [
-        "iam_disable_30_days_credentials",
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -1222,6 +1227,7 @@
         "iam_policy_allows_privilege_escalation",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_custom_policy_permissive_role_assumption",
         "iam_policy_attached_only_to_group_or_roles",
         "iam_role_cross_service_confused_deputy_prevention"
@@ -2616,7 +2622,7 @@
         }
       ],
       "Checks": [
-        "apigateway_waf_acl_attached"
+        "apigateway_restapi_waf_acl_attached"
       ]
     },
     {

prowler/compliance/aws/fedramp_low_revision_4_aws.json

@@ -16,7 +16,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -29,13 +29,15 @@
         "iam_policy_attached_only_to_group_or_roles",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_root_hardware_mfa_enabled",
         "iam_root_mfa_enabled",
         "iam_no_root_access_key",
         "iam_rotate_access_key_90_days",
         "iam_user_mfa_enabled_console_access",
         "iam_user_hardware_mfa_enabled",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "rds_instance_integration_cloudwatch_logs",
         "redshift_cluster_audit_logging",
         "s3_bucket_server_access_logging_enabled",
@@ -61,8 +63,10 @@
         "iam_policy_attached_only_to_group_or_roles",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "awslambda_function_not_publicly_accessible",
         "awslambda_function_url_public",
         "rds_instance_no_public_access",
@@ -121,7 +125,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -204,7 +208,7 @@
         }
       ],
       "Checks": [
-        "apigateway_waf_acl_attached",
+        "apigateway_restapi_waf_acl_attached",
         "ec2_ebs_public_snapshot",
         "ec2_instance_public_ip",
         "ec2_instance_older_than_specific_days",

prowler/compliance/aws/fedramp_moderate_revision_4_aws.json

@@ -22,13 +22,15 @@
         "iam_policy_attached_only_to_group_or_roles",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_root_hardware_mfa_enabled",
         "iam_root_mfa_enabled",
         "iam_no_root_access_key",
         "iam_rotate_access_key_90_days",
         "iam_user_mfa_enabled_console_access",
         "iam_user_mfa_enabled_console_access",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "securityhub_enabled"
       ]
     },
@@ -95,13 +97,15 @@
         "iam_policy_attached_only_to_group_or_roles",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_root_hardware_mfa_enabled",
         "iam_root_mfa_enabled",
         "iam_no_root_access_key",
         "iam_rotate_access_key_90_days",
         "iam_user_mfa_enabled_console_access",
         "iam_user_mfa_enabled_console_access",
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -117,7 +121,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -148,12 +152,14 @@
         "iam_policy_attached_only_to_group_or_roles",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_root_mfa_enabled",
         "iam_no_root_access_key",
         "iam_rotate_access_key_90_days",
         "iam_user_mfa_enabled_console_access",
         "iam_user_mfa_enabled_console_access",
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -170,7 +176,8 @@
       ],
       "Checks": [
         "iam_password_policy_minimum_length_14",
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -192,8 +199,10 @@
         "iam_policy_attached_only_to_group_or_roles",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "awslambda_function_not_publicly_accessible",
         "awslambda_function_url_public",
         "rds_instance_no_public_access",
@@ -253,8 +262,10 @@
         "iam_policy_attached_only_to_group_or_roles",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key",
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -272,6 +283,7 @@
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key"
       ]
     },
@@ -293,8 +305,10 @@
         "emr_cluster_master_nodes_no_public_ip",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "awslambda_function_not_publicly_accessible",
         "awslambda_function_url_public",
         "rds_instance_no_public_access",
@@ -402,7 +416,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -428,7 +442,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -455,7 +469,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -557,7 +571,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -611,7 +625,7 @@
         }
       ],
       "Checks": [
-        "apigateway_waf_acl_attached",
+        "apigateway_restapi_waf_acl_attached",
         "ec2_ebs_public_snapshot",
         "ec2_instance_public_ip",
         "ec2_instance_managed_by_ssm",
@@ -977,7 +991,8 @@
       "Checks": [
         "iam_policy_attached_only_to_group_or_roles",
         "iam_aws_attached_policy_no_administrative_privileges",
-        "iam_customer_attached_policy_no_administrative_privileges"
+        "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges"
       ]
     },
     {
@@ -1108,7 +1123,7 @@
         }
       ],
       "Checks": [
-        "apigateway_client_certificate_enabled",
+        "apigateway_restapi_client_certificate_enabled",
         "elbv2_insecure_ssl_ciphers",
         "elb_ssl_listeners",
         "opensearch_service_domains_node_to_node_encryption_enabled",
@@ -1127,7 +1142,7 @@
         }
       ],
       "Checks": [
-        "apigateway_client_certificate_enabled",
+        "apigateway_restapi_client_certificate_enabled",
         "elbv2_insecure_ssl_ciphers",
         "elb_ssl_listeners",
         "opensearch_service_domains_node_to_node_encryption_enabled",
@@ -1179,7 +1194,7 @@
         }
       ],
       "Checks": [
-        "apigateway_client_certificate_enabled",
+        "apigateway_restapi_client_certificate_enabled",
         "elb_ssl_listeners",
         "opensearch_service_domains_node_to_node_encryption_enabled",
         "s3_bucket_secure_transport_policy"
@@ -1362,7 +1377,7 @@
         }
       ],
       "Checks": [
-        "apigateway_waf_acl_attached",
+        "apigateway_restapi_waf_acl_attached",
         "cloudtrail_cloudwatch_logging_enabled",
         "cloudwatch_changes_to_network_acls_alarm_configured",
         "cloudwatch_changes_to_network_gateways_alarm_configured",

prowler/compliance/aws/ffiec_aws.json

@@ -19,7 +19,7 @@
       "Checks": [
         "ec2_instance_managed_by_ssm",
         "ec2_instance_older_than_specific_days",
-        "ec2_elastic_ip_unassgined"
+        "ec2_elastic_ip_unassigned"
       ]
     },
     {
@@ -88,7 +88,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -117,7 +117,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -267,7 +267,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -294,7 +294,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -339,7 +339,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -421,6 +421,7 @@
         "iam_policy_attached_only_to_group_or_roles",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key"
       ]
     },
@@ -455,7 +456,7 @@
         }
       ],
       "Checks": [
-        "apigateway_client_certificate_enabled",
+        "apigateway_restapi_client_certificate_enabled",
         "ec2_ebs_volume_encryption",
         "ec2_ebs_default_encryption",
         "efs_encryption_at_rest_enabled",
@@ -480,7 +481,7 @@
         }
       ],
       "Checks": [
-        "apigateway_client_certificate_enabled",
+        "apigateway_restapi_client_certificate_enabled",
         "elbv2_insecure_ssl_ciphers",
         "elb_ssl_listeners",
         "s3_bucket_secure_transport_policy"
@@ -499,7 +500,7 @@
         }
       ],
       "Checks": [
-        "apigateway_client_certificate_enabled",
+        "apigateway_restapi_client_certificate_enabled",
         "iam_root_hardware_mfa_enabled",
         "iam_root_mfa_enabled",
         "iam_user_mfa_enabled_console_access",
@@ -520,7 +521,8 @@
       ],
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
-        "iam_customer_attached_policy_no_administrative_privileges"
+        "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges"
       ]
     },
     {
@@ -537,7 +539,8 @@
       ],
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
-        "iam_customer_attached_policy_no_administrative_privileges"
+        "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges"
       ]
     },
     {
@@ -555,6 +558,7 @@
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_root_hardware_mfa_enabled",
         "iam_root_mfa_enabled",
         "iam_no_root_access_key"
@@ -581,12 +585,14 @@
         "iam_password_policy_uppercase",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_root_hardware_mfa_enabled",
         "iam_root_mfa_enabled",
         "iam_rotate_access_key_90_days",
         "iam_user_mfa_enabled_console_access",
         "iam_user_mfa_enabled_console_access",
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -640,7 +646,7 @@
       ],
       "Checks": [
         "acm_certificates_expiration_check",
-        "apigateway_waf_acl_attached",
+        "apigateway_restapi_waf_acl_attached",
         "ec2_ebs_public_snapshot",
         "ec2_instance_public_ip",
         "elbv2_waf_acl_attached",
@@ -674,7 +680,7 @@
         }
       ],
       "Checks": [
-        "apigateway_waf_acl_attached",
+        "apigateway_restapi_waf_acl_attached",
         "elbv2_waf_acl_attached",
         "ec2_securitygroup_default_restrict_traffic",
         "ec2_networkacl_allow_ingress_any_port",
@@ -695,7 +701,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_cloudwatch_logging_enabled",
         "elbv2_logging_enabled",
@@ -757,7 +763,8 @@
         "cloudtrail_cloudwatch_logging_enabled",
         "iam_policy_attached_only_to_group_or_roles",
         "iam_aws_attached_policy_no_administrative_privileges",
-        "iam_customer_attached_policy_no_administrative_privileges"
+        "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges"
       ]
     },
     {

prowler/compliance/aws/gdpr_aws.json

@@ -37,13 +37,15 @@
         "iam_password_policy_uppercase",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_root_hardware_mfa_enabled",
         "iam_root_mfa_enabled",
         "iam_no_root_access_key",
         "iam_support_role_created",
         "iam_rotate_access_key_90_days",
         "iam_user_mfa_enabled_console_access",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "kms_cmk_rotation_enabled",
         "cloudwatch_log_metric_filter_for_s3_bucket_policy_changes",
         "cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled",

prowler/compliance/aws/gxp_21_cfr_part_11_aws.json

@@ -85,13 +85,15 @@
         "iam_policy_attached_only_to_group_or_roles",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_root_hardware_mfa_enabled",
         "iam_root_mfa_enabled",
         "iam_no_root_access_key",
         "iam_rotate_access_key_90_days",
         "iam_user_mfa_enabled_console_access",
         "iam_user_mfa_enabled_console_access",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "awslambda_function_not_publicly_accessible",
         "awslambda_function_url_public",
         "rds_instance_no_public_access",
@@ -121,7 +123,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -169,13 +171,15 @@
         "iam_policy_attached_only_to_group_or_roles",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_root_hardware_mfa_enabled",
         "iam_root_mfa_enabled",
         "iam_no_root_access_key",
         "iam_rotate_access_key_90_days",
         "iam_user_mfa_enabled_console_access",
         "iam_user_mfa_enabled_console_access",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "awslambda_function_not_publicly_accessible",
         "awslambda_function_url_public",
         "rds_instance_no_public_access",
@@ -253,7 +257,7 @@
         }
       ],
       "Checks": [
-        "apigateway_client_certificate_enabled",
+        "apigateway_restapi_client_certificate_enabled",
         "cloudtrail_kms_encryption_enabled",
         "cloudtrail_log_file_validation_enabled",
         "dynamodb_tables_kms_cmk_encryption_enabled",
@@ -321,7 +325,8 @@
         "iam_password_policy_symbol",
         "iam_password_policy_uppercase",
         "iam_rotate_access_key_90_days",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "secretsmanager_automatic_rotation_enabled"
       ]
     },

prowler/compliance/aws/hipaa_aws.json

@@ -47,6 +47,7 @@
         "opensearch_service_domains_encryption_at_rest_enabled",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key",
         "awslambda_function_not_publicly_accessible",
         "awslambda_function_url_public",
@@ -84,7 +85,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -117,6 +118,7 @@
         "ec2_instance_public_ip",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key",
         "awslambda_function_not_publicly_accessible",
         "awslambda_function_url_public",
@@ -141,7 +143,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -173,8 +175,10 @@
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key",
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -205,7 +209,8 @@
       ],
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
-        "iam_customer_attached_policy_no_administrative_privileges"
+        "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges"
       ]
     },
     {
@@ -260,7 +265,8 @@
       ],
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
-        "iam_customer_attached_policy_no_administrative_privileges"
+        "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges"
       ]
     },
     {
@@ -278,9 +284,11 @@
         "iam_password_policy_reuse_24",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key",
         "iam_rotate_access_key_90_days",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "secretsmanager_automatic_rotation_enabled"
       ]
     },
@@ -337,7 +345,8 @@
         "iam_password_policy_uppercase",
         "iam_password_policy_reuse_24",
         "iam_rotate_access_key_90_days",
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -374,7 +383,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -520,6 +529,7 @@
         "emr_cluster_master_nodes_no_public_ip",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_user_mfa_enabled_console_access",
         "awslambda_function_not_publicly_accessible",
         "awslambda_function_url_public",
@@ -618,7 +628,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",

prowler/compliance/aws/iso27001_2013_aws.json

@@ -866,7 +866,8 @@
         }
       ],
       "Checks": [
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -1042,7 +1043,8 @@
         }
       ],
       "Checks": [
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -1250,7 +1252,8 @@
         }
       ],
       "Checks": [
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {

prowler/compliance/aws/mitre_attack_aws.json

@@ -165,8 +165,10 @@
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
         "iam_customer_unattached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_expired_server_certificates_stored",
-        "iam_disable_30_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "iam_no_root_access_key",
         "iam_no_custom_policy_permissive_role_assumption",
         "iam_password_policy_expires_passwords_within_90_days_or_less",
@@ -306,6 +308,7 @@
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_policy_allows_privilege_escalation",
         "iam_policy_no_full_access_to_cloudtrail",
         "iam_policy_no_full_access_to_kms"
@@ -369,7 +372,9 @@
       "TechniqueURL": "https://attack.mitre.org/techniques/T1098/",
       "Checks": [
         "config_recorder_all_regions_enabled",
+        "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_policy_allows_privilege_escalation",
         "iam_policy_no_full_access_to_cloudtrail",
         "iam_policy_no_full_access_to_kms",
@@ -614,6 +619,7 @@
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_policy_allows_privilege_escalation",
         "iam_policy_no_full_access_to_cloudtrail",
         "iam_policy_no_full_access_to_kms"
@@ -662,11 +668,14 @@
       "TechniqueURL": "https://attack.mitre.org/techniques/T1550/",
       "Checks": [
         "iam_administrator_access_with_mfa",
+        "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_policy_allows_privilege_escalation",
         "iam_policy_no_full_access_to_cloudtrail",
         "iam_policy_no_full_access_to_kms",
-        "iam_disable_30_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "iam_no_root_access_key",
         "iam_root_hardware_mfa_enabled",
         "iam_root_mfa_enabled",
@@ -713,7 +722,8 @@
       "Checks": [
         "guardduty_is_enabled",
         "config_recorder_all_regions_enabled",
-        "iam_disable_30_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "iam_password_policy_expires_passwords_within_90_days_or_less",
         "iam_password_policy_lowercase",
         "iam_password_policy_minimum_length_14",
@@ -851,7 +861,9 @@
       "Checks": [
         "iam_no_custom_policy_permissive_role_assumption",
         "iam_policy_allows_privilege_escalation",
+        "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_root_hardware_mfa_enabled",
         "iam_root_mfa_enabled",
         "iam_user_hardware_mfa_enabled",
@@ -1734,6 +1746,7 @@
         "guardduty_is_enabled",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_custom_policy_permissive_role_assumption",
         "iam_policy_allows_privilege_escalation",
         "iam_policy_no_full_access_to_cloudtrail",
@@ -1785,7 +1798,8 @@
         "organizations_account_part_of_organizations",
         "iam_user_mfa_enabled_console_access",
         "iam_customer_attached_policy_no_administrative_privileges",
-        "iam_aws_attached_policy_no_administrative_privileges"
+        "iam_aws_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges"
       ],
       "Attributes": [
         {
@@ -1845,6 +1859,7 @@
       "Checks": [
         "iam_customer_attached_policy_no_administrative_privileges",
         "iam_aws_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_policy_allows_privilege_escalation"
       ],
       "Attributes": [
@@ -1955,6 +1970,7 @@
       "Checks": [
         "iam_customer_attached_policy_no_administrative_privileges",
         "iam_aws_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_policy_allows_privilege_escalation"
       ],
       "Attributes": [

prowler/compliance/aws/nist_800_171_revision_2_aws.json

@@ -23,12 +23,14 @@
         "emr_cluster_master_nodes_no_public_ip",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_root_hardware_mfa_enabled",
         "iam_root_mfa_enabled",
         "iam_no_root_access_key",
         "iam_user_mfa_enabled_console_access",
         "iam_user_mfa_enabled_console_access",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "awslambda_function_not_publicly_accessible",
         "awslambda_function_url_public",
         "rds_instance_no_public_access",
@@ -63,12 +65,14 @@
         "emr_cluster_master_nodes_no_public_ip",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_root_hardware_mfa_enabled",
         "iam_root_mfa_enabled",
         "iam_no_root_access_key",
         "iam_user_mfa_enabled_console_access",
         "iam_user_mfa_enabled_console_access",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "awslambda_function_not_publicly_accessible",
         "awslambda_function_url_public",
         "rds_instance_no_public_access",
@@ -129,8 +133,10 @@
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key",
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -147,8 +153,10 @@
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key",
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -165,6 +173,7 @@
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key"
       ]
     },
@@ -182,6 +191,7 @@
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key"
       ]
     },
@@ -197,7 +207,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -285,7 +295,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -313,7 +323,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -336,7 +346,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -419,7 +429,7 @@
         "ec2_instance_older_than_specific_days",
         "elbv2_deletion_protection",
         "ssm_managed_compliant_patching",
-        "ec2_elastic_ip_unassgined",
+        "ec2_elastic_ip_unassigned",
         "ec2_networkacl_allow_ingress_any_port"
       ]
     },
@@ -457,6 +467,7 @@
         "iam_policy_attached_only_to_group_or_roles",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key",
         "awslambda_function_url_public",
         "rds_snapshots_public_access",
@@ -567,7 +578,8 @@
       "Checks": [
         "iam_password_policy_reuse_24",
         "iam_password_policy_expires_passwords_within_90_days_or_less",
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -589,7 +601,8 @@
         "iam_password_policy_uppercase",
         "iam_password_policy_reuse_24",
         "iam_password_policy_expires_passwords_within_90_days_or_less",
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -606,7 +619,8 @@
       "Checks": [
         "iam_password_policy_reuse_24",
         "iam_password_policy_expires_passwords_within_90_days_or_less",
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -621,7 +635,7 @@
         }
       ],
       "Checks": [
-        "apigateway_client_certificate_enabled",
+        "apigateway_restapi_client_certificate_enabled",
         "ec2_ebs_volume_encryption",
         "elbv2_insecure_ssl_ciphers",
         "opensearch_service_domains_node_to_node_encryption_enabled",
@@ -641,7 +655,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_cloudwatch_logging_enabled",
         "cloudwatch_changes_to_network_acls_alarm_configured",
@@ -669,7 +683,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_cloudwatch_logging_enabled",
         "cloudwatch_changes_to_network_acls_alarm_configured",
@@ -755,7 +769,7 @@
       ],
       "Checks": [
         "acm_certificates_expiration_check",
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -829,7 +843,8 @@
       ],
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
-        "iam_customer_attached_policy_no_administrative_privileges"
+        "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges"
       ]
     },
     {
@@ -1060,7 +1075,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -1086,7 +1101,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",

prowler/compliance/aws/nist_800_53_revision_4_aws.json

@@ -20,7 +20,8 @@
         "guardduty_is_enabled",
         "iam_password_policy_reuse_24",
         "iam_rotate_access_key_90_days",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "securityhub_enabled"
       ]
     },
@@ -37,7 +38,8 @@
         }
       ],
       "Checks": [
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -103,10 +105,12 @@
         "iam_password_policy_reuse_24",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_root_mfa_enabled",
         "iam_no_root_access_key",
         "iam_rotate_access_key_90_days",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "rds_instance_integration_cloudwatch_logs",
         "redshift_cluster_audit_logging",
         "s3_bucket_server_access_logging_enabled",
@@ -128,8 +132,10 @@
         "ec2_ebs_public_snapshot",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "awslambda_function_url_public",
         "rds_snapshots_public_access",
         "redshift_cluster_public_access",
@@ -183,7 +189,8 @@
       ],
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
-        "iam_customer_attached_policy_no_administrative_privileges"
+        "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges"
       ]
     },
     {
@@ -220,8 +227,10 @@
         "iam_policy_attached_only_to_group_or_roles",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "awslambda_function_url_public",
         "rds_instance_no_public_access",
         "rds_snapshots_public_access",
@@ -315,7 +324,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -341,7 +350,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -475,7 +484,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -851,7 +860,8 @@
       ],
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
-        "iam_customer_attached_policy_no_administrative_privileges"
+        "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges"
       ]
     },
     {

prowler/compliance/aws/nist_csf_1.1_aws.json

@@ -17,7 +17,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_cloudwatch_logging_enabled",
@@ -62,7 +62,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -132,7 +132,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -279,7 +279,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",
@@ -380,7 +380,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_multi_region_enabled",
         "elbv2_logging_enabled",
@@ -571,9 +571,11 @@
         "iam_password_policy_reuse_24",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key",
         "iam_rotate_access_key_90_days",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "secretsmanager_automatic_rotation_enabled"
       ]
     },
@@ -627,8 +629,10 @@
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key",
-        "iam_disable_90_days_credentials"
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -759,7 +763,7 @@
       "Checks": [
         "ec2_instance_managed_by_ssm",
         "ssm_managed_compliant_patching",
-        "ec2_elastic_ip_unassgined"
+        "ec2_elastic_ip_unassigned"
       ]
     },
     {
@@ -1054,7 +1058,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_cloudwatch_logging_enabled",
@@ -1080,6 +1084,7 @@
         "ec2_ebs_public_snapshot",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_no_root_access_key",
         "awslambda_function_url_public",
         "rds_snapshots_public_access",

prowler/compliance/aws/pci_3.2.1_aws.json

@@ -98,7 +98,7 @@
       "Checks": [
         "ec2_ebs_public_snapshot",
         "ec2_securitygroup_default_restrict_traffic",
-        "ec2_elastic_ip_unassgined",
+        "ec2_elastic_ip_unassigned",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
         "vpc_flow_logs_enabled"
@@ -158,10 +158,12 @@
         "iam_no_root_access_key",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_root_hardware_mfa_enabled",
         "iam_root_mfa_enabled",
         "iam_user_mfa_enabled_console_access",
-        "iam_disable_90_days_credentials",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused",
         "iam_password_policy_minimum_length_14",
         "iam_password_policy_lowercase",
         "iam_password_policy_number",

prowler/compliance/aws/rbi_cyber_security_framework_aws.json

@@ -30,7 +30,7 @@
       ],
       "Checks": [
         "acm_certificates_expiration_check",
-        "apigateway_client_certificate_enabled",
+        "apigateway_restapi_client_certificate_enabled",
         "cloudtrail_kms_encryption_enabled",
         "dynamodb_tables_kms_cmk_encryption_enabled",
         "ec2_ebs_volume_encryption",
@@ -76,7 +76,7 @@
         }
       ],
       "Checks": [
-        "apigateway_waf_acl_attached",
+        "apigateway_restapi_waf_acl_attached",
         "elbv2_waf_acl_attached",
         "ec2_securitygroup_default_restrict_traffic",
         "ec2_networkacl_allow_ingress_any_port",
@@ -115,9 +115,8 @@
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
         "iam_policy_attached_only_to_group_or_roles",
-        "iam_aws_attached_policy_no_administrative_privileges",
-        "iam_customer_attached_policy_no_administrative_privileges",
         "iam_no_root_access_key"
       ]
     },
@@ -160,7 +159,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_s3_dataevents_read_enabled",
         "cloudtrail_s3_dataevents_write_enabled",

prowler/compliance/aws/soc2_aws.json

@@ -48,7 +48,9 @@
         "iam_policy_attached_only_to_group_or_roles",
         "iam_aws_attached_policy_no_administrative_privileges",
         "iam_customer_attached_policy_no_administrative_privileges",
-        "iam_disable_90_days_credentials"
+        "iam_inline_policy_no_administrative_privileges",
+        "iam_user_accesskey_unused",
+        "iam_user_console_access_unused"
       ]
     },
     {
@@ -313,7 +315,8 @@
       ],
       "Checks": [
         "iam_aws_attached_policy_no_administrative_privileges",
-        "iam_customer_attached_policy_no_administrative_privileges"
+        "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges"
       ]
     },
     {
@@ -444,7 +447,7 @@
         "vpc_flow_logs_enabled",
         "ec2_instance_imdsv2_enabled",
         "guardduty_is_enabled",
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22"
       ]
     },
@@ -465,7 +468,7 @@
         "cloudtrail_log_file_validation_enabled",
         "cloudtrail_cloudwatch_logging_enabled",
         "guardduty_is_enabled",
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "rds_instance_integration_cloudwatch_logs",
         "securityhub_enabled",
         "cloudwatch_changes_to_network_acls_alarm_configured",
@@ -596,7 +599,7 @@
         }
       ],
       "Checks": [
-        "apigateway_logging_enabled",
+        "apigateway_restapi_logging_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_multi_region_enabled",
         "cloudtrail_cloudwatch_logging_enabled",

prowler/config/aws_allowlist.yaml

@@ -0,0 +1,63 @@
+Allowlist:
+  Accounts:
+    "*":
+      ########################### AWS CONTROL TOWER ###########################
+      ### The following entries includes all resources created by AWS Control Tower when setting up a landing zone ###
+      # https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html #
+      Checks:
+        "cloudwatch_log_group_*":
+          Regions:
+            - "*"
+          Resources:
+            - "/aws/lambda/aws-controltower-NotificationForwarder"
+            - "StackSet-AWSControlTowerBP-*"
+        "awslambda_function_*":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower-NotificationForwarder"
+        "cloudformation_stacks_*":
+          Regions:
+            - "*"
+          Resources:
+            - "StackSet-AWSControlTowerGuardrailAWS-*"
+            - "StackSet-AWSControlTowerBP-*"
+        "cloudtrail_*":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower-BaselineCloudTrail"
+        "iam_role_*":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower-AdministratorExecutionRole"
+            - "aws-controltower-CloudWatchLogsRole"
+            - "aws-controltower-ConfigRecorderRole"
+            - "aws-controltower-ForwardSnsNotificationRole"
+            - "aws-controltower-ReadOnlyExecutionRole"
+            - "AWSControlTower_VPCFlowLogsRole"
+            - "AWSControlTowerExecution"
+        "iam_policy_*":
+          Regions:
+            - "*"
+          Resources:
+            - "AWSControlTowerServiceRolePolicy"
+        "s3_bucket_*":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower-logs-*"
+            - "aws-controltower-s3-access-logs-*"
+        "sns_*":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower-SecurityNotifications"
+        "vpc_*":
+          Regions:
+            - "*"
+          Resources:
+            - "*"
+          Tags:
+            - "Name=aws-controltower-VPC"

prowler/config/aws_allowlist_example.yaml

@@ -72,13 +72,3 @@ Allowlist:
               - "test"
             Tags:
               - "environment=prod"   # Will ignore every resource except in account 123456789012 except the ones containing the string "test" and tag environment=prod
-
-
-
-# EXAMPLE: CONTROL TOWER (to migrate)
-# When using Control Tower, guardrails prevent access to certain protected resources. The allowlist
-# below ensures that warnings instead of errors are reported for the affected resources.
-#extra734:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+
-#extra734:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+
-#extra764:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+
-#extra764:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+

prowler/config/config.py

@@ -11,7 +11,7 @@ from prowler.lib.logger import logger
 
 timestamp = datetime.today()
 timestamp_utc = datetime.now(timezone.utc).replace(tzinfo=timezone.utc)
-prowler_version = "3.8.1"
+prowler_version = "3.11.1"
 html_logo_url = "https://github.com/prowler-cloud/prowler/"
 html_logo_img = "https://user-images.githubusercontent.com/3985464/113734260-7ba06900-96fb-11eb-82bc-d4f68a1e2710.png"
 square_logo_img = "https://user-images.githubusercontent.com/38561120/235905862-9ece5bd7-9aa3-4e48-807a-3a9035eb8bfb.png"
@@ -64,17 +64,16 @@ def check_current_version():
     try:
         prowler_version_string = f"Prowler {prowler_version}"
         release_response = requests.get(
-            "https://api.github.com/repos/prowler-cloud/prowler/tags"
+            "https://api.github.com/repos/prowler-cloud/prowler/tags", timeout=1
         )
         latest_version = release_response.json()[0]["name"]
         if latest_version != prowler_version:
             return f"{prowler_version_string} (latest is {latest_version}, upgrade for the latest features)"
         else:
             return f"{prowler_version_string} (it is the latest version, yay!)"
-    except Exception as error:
-        logger.error(
-            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
-        )
+    except requests.RequestException:
+        return f"{prowler_version_string}"
+    except Exception:
         return f"{prowler_version_string}"
 
 

prowler/config/config.yaml

@@ -1,5 +1,27 @@
 # AWS Configuration
 aws:
+
+  # AWS Global Configuration
+  # aws.allowlist_non_default_regions --> Set to True to allowlist failed findings in non-default regions for GuardDuty, SecurityHub, DRS and Config
+  allowlist_non_default_regions: False
+  # If you want to allowlist/mute failed findings only in specific regions, create a file with the following syntax and run it with `prowler aws -w allowlist.yaml`:
+  # Allowlist:
+  #  Accounts:
+  #   "*":
+  #     Checks:
+  #       "*":
+  #         Regions:
+  #           - "ap-southeast-1"
+  #           - "ap-southeast-2"
+  #         Resources:
+  #           - "*"
+
+  # AWS IAM Configuration
+  # aws.iam_user_accesskey_unused --> CIS recommends 45 days
+  max_unused_access_keys_days: 45
+  # aws.iam_user_console_access_unused --> CIS recommends 45 days
+  max_console_access_days: 45
+
   # AWS EC2 Configuration
   # aws.ec2_elastic_ip_shodan
   shodan_api_key: null
@@ -54,6 +76,17 @@ aws:
   organizations_enabled_regions: []
   organizations_trusted_delegated_administrators: []
 
+  # AWS ECR
+  # ecr_repositories_scan_vulnerabilities_in_latest_image
+  # CRITICAL
+  # HIGH
+  # MEDIUM
+  ecr_repository_vulnerability_minimum_severity: "MEDIUM"
+
+  # AWS Trusted Advisor
+  # trustedadvisor_premium_support_plan_subscribed
+  verify_premium_support_plans: True
+
 # Azure Configuration
 azure:
 

prowler/lib/check/check.py

@@ -1,5 +1,6 @@
 import functools
 import importlib
+import json
 import os
 import re
 import shutil
@@ -12,22 +13,14 @@ from typing import Any
 from alive_progress import alive_bar
 from colorama import Fore, Style
 
+import prowler
 from prowler.config.config import orange_color
 from prowler.lib.check.compliance_models import load_compliance_framework
 from prowler.lib.check.models import Check, load_check_metadata
 from prowler.lib.logger import logger
-
-try:
-    lib = os.environ["PROWLER_REPORT_LIB_PATH"]
-    outputs_module = importlib.import_module(lib)
-    report = getattr(outputs_module, "report")
-except KeyError:
-    from prowler.lib.outputs.outputs import report
-except Exception:
-    sys.exit(1)
-
-import prowler
+from prowler.lib.outputs.outputs import report
 from prowler.lib.utils.utils import open_file, parse_json_file
+from prowler.providers.aws.lib.allowlist.allowlist import allowlist_findings
 from prowler.providers.common.models import Audit_Metadata
 from prowler.providers.common.outputs import Provider_Output_Options
 
@@ -133,11 +126,13 @@ def parse_checks_from_folder(audit_info, input_folder: str, provider: str) -> in
         ):
             bucket = input_folder.split("/")[2]
             key = ("/").join(input_folder.split("/")[3:])
-            s3_reource = audit_info.audit_session.resource("s3")
-            bucket = s3_reource.Bucket(bucket)
+            s3_resource = audit_info.audit_session.resource("s3")
+            bucket = s3_resource.Bucket(bucket)
             for obj in bucket.objects.filter(Prefix=key):
                 if not os.path.exists(os.path.dirname(obj.key)):
                     os.makedirs(os.path.dirname(obj.key))
+                if obj.key[-1] == "/":
+                    continue
                 bucket.download_file(obj.key, obj.key)
             input_folder = key
         # Import custom checks by moving the checks folders to the corresponding services
@@ -178,6 +173,10 @@ def remove_custom_checks_module(input_folder: str, provider: str):
                 prowler_module = f"{prowler_dir[0]}/providers/{provider}/services/{check_service}/{check.name}"
                 if os.path.exists(prowler_module):
                     shutil.rmtree(prowler_module)
+                # test if the service only had the loaded custom checks to delete the folder
+                prowler_service_module = prowler_module.rsplit("/", 1)[0]
+                if not os.listdir(prowler_service_module):
+                    shutil.rmtree(prowler_service_module)
                 # If S3 URI, remove the downloaded folders
                 if s3_uri and os.path.exists(input_folder):
                     shutil.rmtree(input_folder)
@@ -270,6 +269,15 @@ def print_compliance_requirements(
                     )
 
 
+def list_checks_json(provider: str, check_list: set):
+    try:
+        output = {provider: check_list}
+        return json.dumps(output, indent=2, default=str)
+    except Exception as e:
+        logger.critical(f"{e.__class__.__name__}[{e.__traceback__.tb_lineno}]: {e}")
+        sys.exit(1)
+
+
 def print_checks(
     provider: str,
     check_list: set,
@@ -281,10 +289,9 @@ def print_checks(
                 f"[{bulk_checks_metadata[check].CheckID}] {bulk_checks_metadata[check].CheckTitle} - {Fore.MAGENTA}{bulk_checks_metadata[check].ServiceName} {Fore.YELLOW}[{bulk_checks_metadata[check].Severity}]{Style.RESET_ALL}"
             )
         except KeyError as error:
-            logger.critical(
+            logger.error(
                 f"Check {error} was not found for the {provider.upper()} provider"
             )
-            sys.exit(1)
 
     checks_num = len(check_list)
     plural_string = (
@@ -357,7 +364,7 @@ def list_compliance_modules():
     """
     list_compliance_modules returns the available compliance frameworks and returns their path
     """
-    # This module path requires the full path includig "prowler."
+    # This module path requires the full path including "prowler."
     module_path = "prowler.compliance"
     return walk_packages(
         importlib.import_module(module_path).__path__,
@@ -367,7 +374,7 @@ def list_compliance_modules():
 
 # List all available modules in the selected provider and service
 def list_modules(provider: str, service: str):
-    # This module path requires the full path includig "prowler."
+    # This module path requires the full path including "prowler."
     module_path = f"prowler.providers.{provider}.services"
     if service:
         module_path += f".{service}"
@@ -459,10 +466,9 @@ def execute_checks(
 
             # If check does not exists in the provider or is from another provider
             except ModuleNotFoundError:
-                logger.critical(
+                logger.error(
                     f"Check '{check_name}' was not found for the {provider.upper()} provider"
                 )
-                sys.exit(1)
             except Exception as error:
                 logger.error(
                     f"{check_name} - {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
@@ -502,19 +508,17 @@ def execute_checks(
                         checks_executed,
                     )
                     all_findings.extend(check_findings)
-                    bar()
 
                 # If check does not exists in the provider or is from another provider
                 except ModuleNotFoundError:
-                    logger.critical(
+                    logger.error(
                         f"Check '{check_name}' was not found for the {provider.upper()} provider"
                     )
-                    bar.title = f"-> {Fore.RED}Scan was aborted!{Style.RESET_ALL}"
-                    sys.exit(1)
                 except Exception as error:
                     logger.error(
                         f"{check_name} - {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
                     )
+                bar()
             bar.title = f"-> {Fore.GREEN}Scan completed!{Style.RESET_ALL}"
     return all_findings
 
@@ -547,9 +551,28 @@ def execute(
         audit_info.audit_metadata, services_executed, checks_executed
     )
 
+    # Allowlist findings
+    if audit_output_options.allowlist_file:
+        check_findings = allowlist_findings(
+            audit_output_options.allowlist_file,
+            audit_info.audited_account,
+            check_findings,
+        )
+
     # Report the check's findings
     report(check_findings, audit_output_options, audit_info)
 
+    if os.environ.get("PROWLER_REPORT_LIB_PATH"):
+        try:
+            logger.info("Using custom report interface ...")
+            lib = os.environ["PROWLER_REPORT_LIB_PATH"]
+            outputs_module = importlib.import_module(lib)
+            custom_report_interface = getattr(outputs_module, "report")
+
+            custom_report_interface(check_findings, audit_output_options, audit_info)
+        except Exception:
+            sys.exit(1)
+
     return check_findings
 
 

prowler/lib/check/checks_loader.py

@@ -1,3 +1,5 @@
+from colorama import Fore, Style
+
 from prowler.lib.check.check import (
     parse_checks_from_compliance_framework,
     parse_checks_from_file,
@@ -77,4 +79,23 @@ def load_checks_to_execute(
                 check_name = check_info[0]
                 checks_to_execute.add(check_name)
 
+    # Get Check Aliases mapping
+    check_aliases = {}
+    for check, metadata in bulk_checks_metadata.items():
+        for alias in metadata.CheckAliases:
+            check_aliases[alias] = check
+
+    # Verify if any input check is an alias of another check
+    for input_check in checks_to_execute:
+        if (
+            input_check in check_aliases
+            and check_aliases[input_check] not in checks_to_execute
+        ):
+            # Remove input check name and add the real one
+            checks_to_execute.remove(input_check)
+            checks_to_execute.add(check_aliases[input_check])
+            print(
+                f"\nUsing alias {Fore.YELLOW}{input_check}{Style.RESET_ALL} for check {Fore.YELLOW}{check_aliases[input_check]}{Style.RESET_ALL}...\n"
+            )
+
     return checks_to_execute

prowler/lib/check/models.py

@@ -38,6 +38,7 @@ class Check_Metadata_Model(BaseModel):
     CheckID: str
     CheckTitle: str
     CheckType: list[str]
+    CheckAliases: list[str] = []
     ServiceName: str
     SubServiceName: str
     ResourceIdTemplate: str

prowler/lib/cli/parser.py

@@ -8,8 +8,10 @@ from prowler.config.config import (
     default_config_file_path,
     default_output_directory,
 )
-from prowler.providers.aws.aws_provider import get_aws_available_regions
-from prowler.providers.aws.lib.arn.arn import arn_type
+from prowler.providers.common.arguments import (
+    init_providers_parser,
+    validate_provider_arguments,
+)
 
 
 class ProwlerArgumentParser:
@@ -49,9 +51,7 @@ Detailed documentation at https://docs.prowler.cloud
         self.__init_config_parser__()
 
         # Init Providers Arguments
-        self.__init_aws_parser__()
-        self.__init_azure_parser__()
-        self.__init_gcp_parser__()
+        init_providers_parser(self)
 
     def parse(self, args=None) -> argparse.Namespace:
         """
@@ -90,9 +90,14 @@ Detailed documentation at https://docs.prowler.cloud
             )
 
         # Only Logging Configuration
-        if args.only_logs:
+        if args.only_logs or args.list_checks_json:
             args.no_banner = True
 
+        # Extra validation for provider arguments
+        valid, message = validate_provider_arguments(args)
+        if not valid:
+            self.parser.error(f"{args.provider}: {message}")
+
         return args
 
     def __set_default_provider__(self, args: list) -> list:
@@ -154,6 +159,12 @@ Detailed documentation at https://docs.prowler.cloud
             action="store_true",
             help="Send a summary of the execution with a Slack APP in your channel. Environment variables SLACK_API_TOKEN and SLACK_CHANNEL_ID are required (see more in https://docs.prowler.cloud/en/latest/tutorials/integrations/#slack).",
         )
+        common_outputs_parser.add_argument(
+            "--unix-timestamp",
+            action="store_true",
+            default=False,
+            help="Set the output timestamp format as unix timestamps instead of iso format timestamps (default mode).",
+        )
 
     def __init_logging_parser__(self):
         # Logging Options
@@ -193,7 +204,7 @@ Detailed documentation at https://docs.prowler.cloud
     def __init_checks_parser__(self):
         # Set checks to execute
         common_checks_parser = self.common_providers_parser.add_argument_group(
-            "Specify checks/services to run arguments"
+            "Specify checks/services to run"
         )
         # The following arguments needs to be set exclusivelly
         group = common_checks_parser.add_mutually_exclusive_group()
@@ -244,6 +255,11 @@ Detailed documentation at https://docs.prowler.cloud
         list_group.add_argument(
             "-l", "--list-checks", action="store_true", help="List checks"
         )
+        list_group.add_argument(
+            "--list-checks-json",
+            action="store_true",
+            help="Output a list of checks in json for use with --checks-file",
+        )
         list_group.add_argument(
             "--list-services", action="store_true", help="List services"
         )
@@ -270,222 +286,3 @@ Detailed documentation at https://docs.prowler.cloud
             default=default_config_file_path,
             help="Set configuration file path",
         )
-
-    def __init_aws_parser__(self):
-        """Init the AWS Provider CLI parser"""
-        aws_parser = self.subparsers.add_parser(
-            "aws", parents=[self.common_providers_parser], help="AWS Provider"
-        )
-        # Authentication Methods
-        aws_auth_subparser = aws_parser.add_argument_group("Authentication Modes")
-        aws_auth_subparser.add_argument(
-            "-p",
-            "--profile",
-            nargs="?",
-            default=None,
-            help="AWS profile to launch prowler with",
-        )
-        aws_auth_subparser.add_argument(
-            "-R",
-            "--role",
-            nargs="?",
-            default=None,
-            help="ARN of the role to be assumed",
-            # Pending ARN validation
-        )
-        aws_auth_subparser.add_argument(
-            "--sts-endpoint-region",
-            nargs="?",
-            default=None,
-            help="Specify the AWS STS endpoint region to use. Read more at https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html",
-        )
-        aws_auth_subparser.add_argument(
-            "--mfa",
-            action="store_true",
-            help="IAM entity enforces MFA so you need to input the MFA ARN and the TOTP",
-        )
-        aws_auth_subparser.add_argument(
-            "-T",
-            "--session-duration",
-            nargs="?",
-            default=3600,
-            type=int,
-            help="Assumed role session duration in seconds, must be between 900 and 43200. Default: 3600",
-            # Pending session duration validation
-        )
-        aws_auth_subparser.add_argument(
-            "-I",
-            "--external-id",
-            nargs="?",
-            default=None,
-            help="External ID to be passed when assuming role",
-        )
-        # AWS Regions
-        aws_regions_subparser = aws_parser.add_argument_group("AWS Regions")
-        aws_regions_subparser.add_argument(
-            "-f",
-            "--region",
-            "--filter-region",
-            nargs="+",
-            help="AWS region names to run Prowler against",
-            choices=get_aws_available_regions(),
-        )
-        # AWS Organizations
-        aws_orgs_subparser = aws_parser.add_argument_group("AWS Organizations")
-        aws_orgs_subparser.add_argument(
-            "-O",
-            "--organizations-role",
-            nargs="?",
-            help="Specify AWS Organizations management role ARN to be assumed, to get Organization metadata",
-        )
-        # AWS Security Hub
-        aws_security_hub_subparser = aws_parser.add_argument_group("AWS Security Hub")
-        aws_security_hub_subparser.add_argument(
-            "-S",
-            "--security-hub",
-            action="store_true",
-            help="Send check output to AWS Security Hub",
-        )
-        aws_security_hub_subparser.add_argument(
-            "--skip-sh-update",
-            action="store_true",
-            help="Skip updating previous findings of Prowler in Security Hub",
-        )
-        # AWS Quick Inventory
-        aws_quick_inventory_subparser = aws_parser.add_argument_group("Quick Inventory")
-        aws_quick_inventory_subparser.add_argument(
-            "-i",
-            "--quick-inventory",
-            action="store_true",
-            help="Run Prowler Quick Inventory. The inventory will be stored in an output csv by default",
-        )
-        # AWS Outputs
-        aws_outputs_subparser = aws_parser.add_argument_group("AWS Outputs to S3")
-        aws_outputs_bucket_parser = aws_outputs_subparser.add_mutually_exclusive_group()
-        aws_outputs_bucket_parser.add_argument(
-            "-B",
-            "--output-bucket",
-            nargs="?",
-            default=None,
-            help="Custom output bucket, requires -M <mode> and it can work also with -o flag.",
-        )
-        aws_outputs_bucket_parser.add_argument(
-            "-D",
-            "--output-bucket-no-assume",
-            nargs="?",
-            default=None,
-            help="Same as -B but do not use the assumed role credentials to put objects to the bucket, instead uses the initial credentials.",
-        )
-        aws_3rd_party_subparser = aws_parser.add_argument_group(
-            "3rd Party Integrations"
-        )
-        aws_3rd_party_subparser.add_argument(
-            "-N",
-            "--shodan",
-            nargs="?",
-            default=None,
-            help="Shodan API key used by check ec2_elastic_ip_shodan.",
-        )
-        # Allowlist
-        allowlist_subparser = aws_parser.add_argument_group("Allowlist")
-        allowlist_subparser.add_argument(
-            "-w",
-            "--allowlist-file",
-            nargs="?",
-            default=None,
-            help="Path for allowlist yaml file. See example prowler/config/allowlist.yaml for reference and format. It also accepts AWS DynamoDB Table or Lambda ARNs or S3 URIs, see more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/",
-        )
-        # Based Scans
-        aws_based_scans_subparser = aws_parser.add_argument_group("AWS Based Scans")
-        aws_based_scans_parser = (
-            aws_based_scans_subparser.add_mutually_exclusive_group()
-        )
-        aws_based_scans_parser.add_argument(
-            "--resource-tags",
-            nargs="+",
-            default=None,
-            help="Scan only resources with specific AWS Tags (Key=Value), e.g., Environment=dev Project=prowler",
-        )
-        aws_based_scans_parser.add_argument(
-            "--resource-arn",
-            nargs="+",
-            type=arn_type,
-            default=None,
-            help="Scan only resources with specific AWS Resource ARNs, e.g., arn:aws:iam::012345678910:user/test arn:aws:ec2:us-east-1:123456789012:vpc/vpc-12345678",
-        )
-
-        # Boto3 Config
-        boto3_config_subparser = aws_parser.add_argument_group("Boto3 Config")
-        boto3_config_subparser.add_argument(
-            "--aws-retries-max-attempts",
-            nargs="?",
-            default=None,
-            type=int,
-            help="Set the maximum attemps for the Boto3 standard retrier config (Default: 3)",
-        )
-
-    def __init_azure_parser__(self):
-        """Init the Azure Provider CLI parser"""
-        azure_parser = self.subparsers.add_parser(
-            "azure", parents=[self.common_providers_parser], help="Azure Provider"
-        )
-        # Authentication Modes
-        azure_auth_subparser = azure_parser.add_argument_group("Authentication Modes")
-        azure_auth_modes_group = azure_auth_subparser.add_mutually_exclusive_group()
-        azure_auth_modes_group.add_argument(
-            "--az-cli-auth",
-            action="store_true",
-            help="Use Azure cli credentials to log in against azure",
-        )
-        azure_auth_modes_group.add_argument(
-            "--sp-env-auth",
-            action="store_true",
-            help="Use service principal env variables authentication to log in against azure",
-        )
-        azure_auth_modes_group.add_argument(
-            "--browser-auth",
-            action="store_true",
-            help="Use browser authentication to log in against Azure, --tenant-id is required for this option",
-        )
-        azure_auth_modes_group.add_argument(
-            "--managed-identity-auth",
-            action="store_true",
-            help="Use managed identity authentication to log in against azure ",
-        )
-        # Subscriptions
-        azure_subscriptions_subparser = azure_parser.add_argument_group("Subscriptions")
-        azure_subscriptions_subparser.add_argument(
-            "--subscription-ids",
-            nargs="+",
-            default=[],
-            help="Azure Subscription IDs to be scanned by Prowler",
-        )
-        azure_parser.add_argument(
-            "--tenant-id",
-            nargs="?",
-            default=None,
-            help="Azure Tenant ID to be used with --browser-auth option",
-        )
-
-    def __init_gcp_parser__(self):
-        """Init the GCP Provider CLI parser"""
-        gcp_parser = self.subparsers.add_parser(
-            "gcp", parents=[self.common_providers_parser], help="GCP Provider"
-        )
-        # Authentication Modes
-        gcp_auth_subparser = gcp_parser.add_argument_group("Authentication Modes")
-        gcp_auth_modes_group = gcp_auth_subparser.add_mutually_exclusive_group()
-        gcp_auth_modes_group.add_argument(
-            "--credentials-file",
-            nargs="?",
-            metavar="FILE_PATH",
-            help="Authenticate using a Google Service Account Application Credentials JSON file",
-        )
-        # Subscriptions
-        gcp_subscriptions_subparser = gcp_parser.add_argument_group("Projects")
-        gcp_subscriptions_subparser.add_argument(
-            "--project-ids",
-            nargs="+",
-            default=[],
-            help="GCP Project IDs to be scanned by Prowler",
-        )

prowler/lib/outputs/compliance.py

@@ -18,6 +18,7 @@ from prowler.lib.outputs.models import (
     generate_csv_fields,
     unroll_list,
 )
+from prowler.lib.utils.utils import outputs_unix_timestamp
 
 
 def add_manual_controls(output_options, audit_info, file_descriptors):
@@ -67,7 +68,9 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors):
                             Description=compliance.Description,
                             AccountId=audit_info.audited_account,
                             Region=finding.region,
-                            AssessmentDate=timestamp.isoformat(),
+                            AssessmentDate=outputs_unix_timestamp(
+                                output_options.unix_timestamp, timestamp
+                            ),
                             Requirements_Id=requirement_id,
                             Requirements_Description=requirement_description,
                             Requirements_Attributes_IdGrupoControl=attribute.IdGrupoControl,
@@ -105,7 +108,9 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors):
                                     Description=compliance.Description,
                                     AccountId=audit_info.audited_account,
                                     Region=finding.region,
-                                    AssessmentDate=timestamp.isoformat(),
+                                    AssessmentDate=outputs_unix_timestamp(
+                                        output_options.unix_timestamp, timestamp
+                                    ),
                                     Requirements_Id=requirement_id,
                                     Requirements_Description=requirement_description,
                                     Requirements_Attributes_Section=attribute.Section,
@@ -131,8 +136,10 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors):
                                     Provider=finding.check_metadata.Provider,
                                     Description=compliance.Description,
                                     ProjectId=finding.project_id,
-                                    Location=finding.location,
-                                    AssessmentDate=timestamp.isoformat(),
+                                    Location=finding.location.lower(),
+                                    AssessmentDate=outputs_unix_timestamp(
+                                        output_options.unix_timestamp, timestamp
+                                    ),
                                     Requirements_Id=requirement_id,
                                     Requirements_Description=requirement_description,
                                     Requirements_Attributes_Section=attribute.Section,
@@ -176,7 +183,9 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors):
                                 Description=compliance.Description,
                                 AccountId=audit_info.audited_account,
                                 Region=finding.region,
-                                AssessmentDate=timestamp.isoformat(),
+                                AssessmentDate=outputs_unix_timestamp(
+                                    output_options.unix_timestamp, timestamp
+                                ),
                                 Requirements_Id=requirement_id,
                                 Requirements_Description=requirement_description,
                                 Requirements_Attributes_Name=attribute.Name,
@@ -221,7 +230,9 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors):
                                 Description=compliance.Description,
                                 AccountId=audit_info.audited_account,
                                 Region=finding.region,
-                                AssessmentDate=timestamp.isoformat(),
+                                AssessmentDate=outputs_unix_timestamp(
+                                    output_options.unix_timestamp, timestamp
+                                ),
                                 Requirements_Id=requirement_id,
                                 Requirements_Name=requirement_name,
                                 Requirements_Description=requirement_description,
@@ -268,7 +279,9 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors):
                             Description=compliance.Description,
                             AccountId=audit_info.audited_account,
                             Region=finding.region,
-                            AssessmentDate=timestamp.isoformat(),
+                            AssessmentDate=outputs_unix_timestamp(
+                                output_options.unix_timestamp, timestamp
+                            ),
                             Requirements_Id=requirement_id,
                             Requirements_Description=requirement_description,
                             Requirements_Name=requirement_name,
@@ -308,7 +321,9 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors):
                                 Description=compliance.Description,
                                 AccountId=audit_info.audited_account,
                                 Region=finding.region,
-                                AssessmentDate=timestamp.isoformat(),
+                                AssessmentDate=outputs_unix_timestamp(
+                                    output_options.unix_timestamp, timestamp
+                                ),
                                 Requirements_Id=requirement_id,
                                 Requirements_Description=requirement_description,
                                 Requirements_Attributes_Section=attribute.Section,

prowler/lib/outputs/html.py

@@ -181,7 +181,7 @@ def fill_html(file_descriptor, finding, output_options):
                     <td>{finding.status}</td>
                     <td>{finding.check_metadata.Severity}</td>
                     <td>{finding.check_metadata.ServiceName}</td>
-                    <td>{finding.location if isinstance(finding, Check_Report_GCP) else finding.region if isinstance(finding, Check_Report_AWS) else ""}</td>
+                    <td>{finding.location.lower() if isinstance(finding, Check_Report_GCP) else finding.region if isinstance(finding, Check_Report_AWS) else ""}</td>
                     <td>{finding.check_metadata.CheckID.replace("_", "<wbr>_")}</td>
                     <td>{finding.check_metadata.CheckTitle}</td>
                     <td>{finding.resource_id.replace("<", "&lt;").replace(">", "&gt;").replace("_", "<wbr>_")}</td>
@@ -345,7 +345,7 @@ def get_aws_html_assessment_summary(audit_info):
             elif not audit_info.audited_regions:
                 audited_regions = "All Regions"
             else:
-                audited_regions = audit_info.audited_regions
+                audited_regions = ", ".join(audit_info.audited_regions)
             return (
                 """
             <div class="col-md-2">

prowler/lib/outputs/json.py

@@ -30,7 +30,7 @@ from prowler.lib.outputs.models import (
     get_check_compliance,
     unroll_dict_to_list,
 )
-from prowler.lib.utils.utils import hash_sha512, open_file
+from prowler.lib.utils.utils import hash_sha512, open_file, outputs_unix_timestamp
 
 
 def fill_json_asff(finding_output, audit_info, finding, output_options):
@@ -63,12 +63,14 @@ def fill_json_asff(finding_output, audit_info, finding, output_options):
             if len(finding.status_extended) > 1000
             else finding.status_extended
         )
+        resource_tags = generate_json_asff_resource_tags(finding.resource_tags)
         finding_output.Resources = [
             Resource(
                 Id=finding.resource_arn,
                 Type=finding.check_metadata.ResourceType,
                 Partition=audit_info.audited_partition,
                 Region=finding.region,
+                Tags=resource_tags,
             )
         ]
         # Iterate for each compliance framework
@@ -121,6 +123,26 @@ def generate_json_asff_status(status: str) -> str:
     return json_asff_status
 
 
+def generate_json_asff_resource_tags(tags):
+    try:
+        resource_tags = {}
+        if tags and tags != [None]:
+            for tag in tags:
+                if "Key" in tag and "Value" in tag:
+                    resource_tags[tag["Key"]] = tag["Value"]
+                else:
+                    resource_tags.update(tag)
+            if len(resource_tags) == 0:
+                return None
+        else:
+            return None
+        return resource_tags
+    except Exception as error:
+        logger.error(
+            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+        )
+
+
 def fill_json_ocsf(audit_info, finding, output_options) -> Check_Output_JSON_OCSF:
     try:
         resource_region = ""
@@ -166,7 +188,7 @@ def fill_json_ocsf(audit_info, finding, output_options) -> Check_Output_JSON_OCS
             finding_uid = f"prowler-{finding.check_metadata.Provider}-{finding.check_metadata.CheckID}-{finding.subscription}-{finding.resource_id}"
         elif finding.check_metadata.Provider == "gcp":
             project_uid = finding.project_id
-            resource_region = finding.location
+            resource_region = finding.location.lower()
             resource_name = finding.resource_name
             resource_uid = finding.resource_id
             finding_uid = f"prowler-{finding.check_metadata.Provider}-{finding.check_metadata.CheckID}-{finding.project_id}-{finding.resource_id}"
@@ -224,7 +246,9 @@ def fill_json_ocsf(audit_info, finding, output_options) -> Check_Output_JSON_OCS
                     name=finding.check_metadata.CheckID,
                 )
             ),
-            original_time=timestamp.isoformat(),
+            original_time=outputs_unix_timestamp(
+                output_options.unix_timestamp, timestamp
+            ),
             profiles=[audit_info.profile]
             if hasattr(audit_info, "organizations_metadata")
             else [],
@@ -249,7 +273,7 @@ def fill_json_ocsf(audit_info, finding, output_options) -> Check_Output_JSON_OCS
             status_id=generate_json_ocsf_status_id(finding.status),
             compliance=compliance,
             cloud=cloud,
-            time=timestamp.isoformat(),
+            time=outputs_unix_timestamp(output_options.unix_timestamp, timestamp),
             metadata=metadata,
         )
         return finding_output

prowler/lib/outputs/models.py

@@ -9,6 +9,7 @@ from pydantic import BaseModel
 from prowler.config.config import prowler_version, timestamp
 from prowler.lib.check.models import Remediation
 from prowler.lib.logger import logger
+from prowler.lib.utils.utils import outputs_unix_timestamp
 from prowler.providers.aws.lib.audit_info.models import AWS_Organizations_Info
 
 
@@ -47,7 +48,7 @@ def generate_provider_output_csv(
         finding_output_model = f"{provider.capitalize()}_Check_Output_{mode.upper()}"
         output_model = getattr(importlib.import_module(__name__), finding_output_model)
         # Fill common data among providers
-        data = fill_common_data_csv(finding)
+        data = fill_common_data_csv(finding, output_options.unix_timestamp)
 
         if provider == "azure":
             data["resource_id"] = finding.resource_id
@@ -66,7 +67,7 @@ def generate_provider_output_csv(
             data["resource_id"] = finding.resource_id
             data["resource_name"] = finding.resource_name
             data["project_id"] = finding.project_id
-            data["location"] = finding.location
+            data["location"] = finding.location.lower()
             data[
                 "finding_unique_id"
             ] = f"prowler-{provider}-{finding.check_metadata.CheckID}-{finding.project_id}-{finding.resource_id}"
@@ -120,9 +121,9 @@ def generate_provider_output_csv(
         return csv_writer, finding_output
 
 
-def fill_common_data_csv(finding: dict) -> dict:
+def fill_common_data_csv(finding: dict, unix_timestamp: bool) -> dict:
     data = {
-        "assessment_start_time": timestamp.isoformat(),
+        "assessment_start_time": outputs_unix_timestamp(unix_timestamp, timestamp),
         "finding_unique_id": "",
         "provider": finding.check_metadata.Provider,
         "check_id": finding.check_metadata.CheckID,
@@ -360,7 +361,9 @@ def generate_provider_output_json(
         # Instantiate the class for the cloud provider
         finding_output = output_model(**finding.check_metadata.dict())
         # Fill common fields
-        finding_output.AssessmentStartTime = timestamp.isoformat()
+        finding_output.AssessmentStartTime = outputs_unix_timestamp(
+            output_options.unix_timestamp, timestamp
+        )
         finding_output.Status = finding.status
         finding_output.StatusExtended = finding.status_extended
         finding_output.ResourceDetails = finding.resource_details
@@ -377,7 +380,7 @@ def generate_provider_output_json(
 
         if provider == "gcp":
             finding_output.ProjectId = finding.project_id
-            finding_output.Location = finding.location
+            finding_output.Location = finding.location.lower()
             finding_output.ResourceId = finding.resource_id
             finding_output.ResourceName = finding.resource_name
             finding_output.FindingUniqueId = f"prowler-{provider}-{finding.check_metadata.CheckID}-{finding.project_id}-{finding.resource_id}"
@@ -680,6 +683,7 @@ class Resource(BaseModel):
     Id: str
     Partition: str
     Region: str
+    Tags: Optional[dict]
 
 
 class Compliance(BaseModel):
@@ -690,7 +694,7 @@ class Compliance(BaseModel):
 
 class Check_Output_JSON_ASFF(BaseModel):
     """
-    Check_Output_JSON_ASFF generates a finding's output in JSON ASFF format.
+    Check_Output_JSON_ASFF generates a finding's output in JSON ASFF format: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-syntax.html
     """
 
     SchemaVersion: str = "2018-10-08"

prowler/lib/outputs/outputs.py

@@ -1,17 +1,8 @@
 import json
-import sys
 
 from colorama import Fore, Style
 
-from prowler.config.config import (
-    available_compliance_frameworks,
-    csv_file_suffix,
-    html_file_suffix,
-    json_asff_file_suffix,
-    json_file_suffix,
-    json_ocsf_file_suffix,
-    orange_color,
-)
+from prowler.config.config import available_compliance_frameworks, orange_color
 from prowler.lib.logger import logger
 from prowler.lib.outputs.compliance import add_manual_controls, fill_compliance
 from prowler.lib.outputs.file_descriptors import fill_file_descriptors
@@ -21,11 +12,8 @@ from prowler.lib.outputs.models import (
     Check_Output_JSON_ASFF,
     generate_provider_output_csv,
     generate_provider_output_json,
-    unroll_tags,
 )
-from prowler.providers.aws.lib.allowlist.allowlist import is_allowlisted
 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
-from prowler.providers.aws.lib.security_hub.security_hub import send_to_security_hub
 from prowler.providers.azure.lib.audit_info.models import Azure_Audit_Info
 
 
@@ -35,7 +23,7 @@ def stdout_report(finding, color, verbose, is_quiet):
     if finding.check_metadata.Provider == "azure":
         details = finding.check_metadata.ServiceName
     if finding.check_metadata.Provider == "gcp":
-        details = finding.location
+        details = finding.location.lower()
 
     if verbose and not (is_quiet and finding.status != "FAIL"):
         print(
@@ -45,38 +33,27 @@ def stdout_report(finding, color, verbose, is_quiet):
 
 def report(check_findings, output_options, audit_info):
     try:
-        # TO-DO Generic Function
-        if isinstance(audit_info, AWS_Audit_Info):
-            check_findings.sort(key=lambda x: x.region)
-
-        if isinstance(audit_info, Azure_Audit_Info):
-            check_findings.sort(key=lambda x: x.subscription)
-
-        # Generate the required output files
         file_descriptors = {}
-        if output_options.output_modes:
-            # if isinstance(audit_info, AWS_Audit_Info):
-            # We have to create the required output files
-            file_descriptors = fill_file_descriptors(
-                output_options.output_modes,
-                output_options.output_directory,
-                output_options.output_filename,
-                audit_info,
-            )
-
         if check_findings:
+            # TO-DO Generic Function
+            if isinstance(audit_info, AWS_Audit_Info):
+                check_findings.sort(key=lambda x: x.region)
+
+            if isinstance(audit_info, Azure_Audit_Info):
+                check_findings.sort(key=lambda x: x.subscription)
+
+            # Generate the required output files
+            if output_options.output_modes:
+                # if isinstance(audit_info, AWS_Audit_Info):
+                # We have to create the required output files
+                file_descriptors = fill_file_descriptors(
+                    output_options.output_modes,
+                    output_options.output_directory,
+                    output_options.output_filename,
+                    audit_info,
+                )
+
             for finding in check_findings:
-                # Check if finding is allowlisted
-                if output_options.allowlist_file:
-                    if is_allowlisted(
-                        output_options.allowlist_file,
-                        audit_info.audited_account,
-                        finding.check_metadata.CheckID,
-                        finding.region,
-                        finding.resource_id,
-                        unroll_tags(finding.resource_tags),
-                    ):
-                        finding.status = "WARNING"
                 # Print findings by stdout
                 color = set_report_color(finding.status)
                 stdout_report(
@@ -102,6 +79,7 @@ def report(check_findings, output_options, audit_info):
                                 audit_info,
                                 file_descriptors,
                             )
+
                         # AWS specific outputs
                         if finding.check_metadata.Provider == "aws":
                             if "json-asff" in file_descriptors:
@@ -111,25 +89,12 @@ def report(check_findings, output_options, audit_info):
                                 )
 
                                 json.dump(
-                                    finding_output.dict(),
+                                    finding_output.dict(exclude_none=True),
                                     file_descriptors["json-asff"],
                                     indent=4,
                                 )
                                 file_descriptors["json-asff"].write(",")
 
-                            # Check if it is needed to send findings to security hub
-                            if (
-                                output_options.security_hub_enabled
-                                and finding.status != "INFO"
-                            ):
-                                send_to_security_hub(
-                                    output_options.is_quiet,
-                                    finding.status,
-                                    finding.region,
-                                    finding_output,
-                                    audit_info.audit_session,
-                                )
-
                         # Common outputs
                         if "html" in file_descriptors:
                             fill_html(file_descriptors["html"], finding, output_options)
@@ -209,41 +174,6 @@ def set_report_color(status: str) -> str:
     return color
 
 
-def send_to_s3_bucket(
-    output_filename, output_directory, output_mode, output_bucket, audit_session
-):
-    try:
-        filename = ""
-        # Get only last part of the path
-        if output_mode == "csv":
-            filename = f"{output_filename}{csv_file_suffix}"
-        elif output_mode == "json":
-            filename = f"{output_filename}{json_file_suffix}"
-        elif output_mode == "json-asff":
-            filename = f"{output_filename}{json_asff_file_suffix}"
-        elif output_mode == "json-ocsf":
-            filename = f"{output_filename}{json_ocsf_file_suffix}"
-        elif output_mode == "html":
-            filename = f"{output_filename}{html_file_suffix}"
-        else:  # Compliance output mode
-            filename = f"{output_filename}_{output_mode}{csv_file_suffix}"
-        logger.info(f"Sending outputs to S3 bucket {output_bucket}")
-        bucket_remote_dir = output_directory
-        while "prowler/" in bucket_remote_dir:  # Check if it is not a custom directory
-            bucket_remote_dir = bucket_remote_dir.partition("prowler/")[-1]
-        file_name = output_directory + "/" + filename
-        bucket_name = output_bucket
-        object_name = bucket_remote_dir + "/" + output_mode + "/" + filename
-        s3_client = audit_session.client("s3")
-        s3_client.upload_file(file_name, bucket_name, object_name)
-
-    except Exception as error:
-        logger.critical(
-            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
-        )
-        sys.exit(1)
-
-
 def extract_findings_statistics(findings: list) -> dict:
     """
     extract_findings_statistics takes a list of findings and returns the following dict with the aggregated statistics

prowler/lib/utils/utils.py

@@ -2,11 +2,12 @@ import json
 import os
 import sys
 import tempfile
+from datetime import datetime
 from hashlib import sha512
 from io import TextIOWrapper
 from ipaddress import ip_address
 from os.path import exists
-from typing import Any
+from time import mktime
 
 from detect_secrets import SecretsCollection
 from detect_secrets.settings import default_settings
@@ -15,15 +16,18 @@ from prowler.lib.logger import logger
 
 
 def open_file(input_file: str, mode: str = "r") -> TextIOWrapper:
+    """open_file returns a handler to the file using the specified mode."""
     try:
         f = open(input_file, mode)
-    except OSError as ose:
-        if ose.strerror == "Too many open files":
+    except OSError as os_error:
+        if os_error.strerror == "Too many open files":
             logger.critical(
                 "Ooops! You reached your user session maximum open files. To solve this issue, increase the shell session limit by running this command `ulimit -n 4096`. For more info visit https://docs.prowler.cloud/en/latest/troubleshooting/"
             )
         else:
-            logger.critical(f"{input_file}: OSError[{ose.errno}] {ose.strerror}")
+            logger.critical(
+                f"{input_file}: OSError[{os_error.errno}] {os_error.strerror}"
+            )
         sys.exit(1)
     except Exception as e:
         logger.critical(
@@ -34,8 +38,8 @@ def open_file(input_file: str, mode: str = "r") -> TextIOWrapper:
         return f
 
 
-# Parse checks from file
-def parse_json_file(input_file: TextIOWrapper) -> Any:
+def parse_json_file(input_file: TextIOWrapper) -> dict:
+    """parse_json_file loads a JSON file and returns a dictionary with the JSON content."""
     try:
         json_file = json.load(input_file)
     except Exception as e:
@@ -47,21 +51,21 @@ def parse_json_file(input_file: TextIOWrapper) -> Any:
         return json_file
 
 
-# check if file exists
 def file_exists(filename: str):
+    """file_exists returns True if the given file exists, otherwise returns False."""
     try:
         exists_filename = exists(filename)
     except Exception as e:
         logger.critical(
-            f"{exists_filename.name}: {e.__class__.__name__}[{e.__traceback__.tb_lineno}]"
+            f"{filename}: {e.__class__.__name__}[{e.__traceback__.tb_lineno}]"
         )
         sys.exit(1)
     else:
         return exists_filename
 
 
-# create sha512 hash for string
 def hash_sha512(string: str) -> str:
+    """hash_sha512 returns the first 9 bytes of the SHA512 representation for the given string."""
     return sha512(string.encode("utf-8")).hexdigest()[0:9]
 
 
@@ -83,8 +87,18 @@ def detect_secrets_scan(data):
 
 
 def validate_ip_address(ip_string):
+    """validate_ip_address return True if the IP is valid, otherwise returns False."""
     try:
         ip_address(ip_string)
         return True
     except ValueError:
         return False
+
+
+def outputs_unix_timestamp(is_unix_timestamp: bool, timestamp: datetime):
+    """outputs_unix_timestamp returns the epoch representation of the timestamp if the is_unix_timestamp is True, otherwise returns the ISO representation."""
+    if is_unix_timestamp:
+        timestamp = int(mktime(timestamp.timetuple()))
+    else:
+        timestamp = timestamp.isoformat()
+    return timestamp

prowler/providers/aws/aws_provider.py

@@ -12,6 +12,7 @@ from prowler.lib.logger import logger
 from prowler.lib.utils.utils import open_file, parse_json_file
 from prowler.providers.aws.config import AWS_STS_GLOBAL_ENDPOINT_REGION
 from prowler.providers.aws.lib.audit_info.models import AWS_Assume_Role, AWS_Audit_Info
+from prowler.providers.aws.lib.credentials.credentials import create_sts_session
 
 
 ################## AWS PROVIDER
@@ -131,7 +132,7 @@ def assume_role(
         if sts_endpoint_region is None:
             sts_endpoint_region = AWS_STS_GLOBAL_ENDPOINT_REGION
 
-        sts_client = session.client("sts", sts_endpoint_region)
+        sts_client = create_sts_session(session, sts_endpoint_region)
         assumed_credentials = sts_client.assume_role(**assume_role_arguments)
     except Exception as error:
         logger.critical(
@@ -195,6 +196,7 @@ def get_aws_available_regions():
 def get_checks_from_input_arn(audit_resources: list, provider: str) -> set:
     """get_checks_from_input_arn gets the list of checks from the input arns"""
     checks_from_arn = set()
+    is_subservice_in_checks = False
     # Handle if there are audit resources so only their services are executed
     if audit_resources:
         services_without_subservices = ["guardduty", "kms", "s3", "elb", "efs"]
@@ -246,21 +248,23 @@ def get_checks_from_input_arn(audit_resources: list, provider: str) -> set:
             if any(sub_service in check for sub_service in sub_service_list):
                 if not (sub_service == "policy" and "password_policy" in check):
                     checks_from_arn.add(check)
+                    is_subservice_in_checks = True
+
+        if not is_subservice_in_checks:
+            checks_from_arn = checks
 
     # Return final checks list
     return sorted(checks_from_arn)
 
 
-def get_regions_from_audit_resources(audit_resources: list) -> list:
+def get_regions_from_audit_resources(audit_resources: list) -> set:
     """get_regions_from_audit_resources gets the regions from the audit resources arns"""
-    audited_regions = []
+    audited_regions = set()
     for resource in audit_resources:
         region = resource.split(":")[3]
-        if region and region not in audited_regions:  # Check if arn has a region
-            audited_regions.append(region)
-    if audited_regions:
-        return audited_regions
-    return None
+        if region:
+            audited_regions.add(region)
+    return audited_regions
 
 
 def get_available_aws_service_regions(service: str, audit_info: AWS_Audit_Info) -> list:

prowler/providers/aws/lib/allowlist/allowlist.py

@@ -1,11 +1,13 @@
 import re
 import sys
+from typing import Any
 
 import yaml
 from boto3.dynamodb.conditions import Attr
 from schema import Optional, Schema
 
 from prowler.lib.logger import logger
+from prowler.lib.outputs.models import unroll_tags
 
 allowlist_schema = Schema(
     {
@@ -113,7 +115,33 @@ def parse_allowlist_file(audit_info, allowlist_file):
         sys.exit(1)
 
 
-def is_allowlisted(allowlist, audited_account, check, region, resource, tags):
+def allowlist_findings(
+    allowlist: dict,
+    audited_account: str,
+    check_findings: [Any],
+):
+    # Check if finding is allowlisted
+    for finding in check_findings:
+        if is_allowlisted(
+            allowlist,
+            audited_account,
+            finding.check_metadata.CheckID,
+            finding.region,
+            finding.resource_id,
+            unroll_tags(finding.resource_tags),
+        ):
+            finding.status = "WARNING"
+    return check_findings
+
+
+def is_allowlisted(
+    allowlist: dict,
+    audited_account: str,
+    check: str,
+    finding_region: str,
+    finding_resource: str,
+    finding_tags,
+):
     try:
         allowlisted_checks = {}
         # By default is not allowlisted
@@ -127,15 +155,15 @@ def is_allowlisted(allowlist, audited_account, check, region, resource, tags):
         if "*" in allowlist["Accounts"]:
             checks_multi_account = allowlist["Accounts"]["*"]["Checks"]
             allowlisted_checks.update(checks_multi_account)
+
         # Test if it is allowlisted
         if is_allowlisted_in_check(
             allowlisted_checks,
             audited_account,
-            audited_account,
             check,
-            region,
-            resource,
-            tags,
+            finding_region,
+            finding_resource,
+            finding_tags,
         ):
             is_finding_allowlisted = True
 
@@ -148,23 +176,29 @@ def is_allowlisted(allowlist, audited_account, check, region, resource, tags):
 
 
 def is_allowlisted_in_check(
-    allowlisted_checks, audited_account, account, check, region, resource, tags
+    allowlisted_checks,
+    audited_account,
+    check,
+    finding_region,
+    finding_resource,
+    finding_tags,
 ):
     try:
         # Default value is not allowlisted
         is_check_allowlisted = False
+
         for allowlisted_check, allowlisted_check_info in allowlisted_checks.items():
             # map lambda to awslambda
             allowlisted_check = re.sub("^lambda", "awslambda", allowlisted_check)
-            # extract the exceptions
+
+            # Check if the finding is excepted
             exceptions = allowlisted_check_info.get("Exceptions")
-            # Check if there are exceptions
             if is_excepted(
                 exceptions,
                 audited_account,
-                region,
-                resource,
-                tags,
+                finding_region,
+                finding_resource,
+                finding_tags,
             ):
                 # Break loop and return default value since is excepted
                 break
@@ -178,13 +212,27 @@ def is_allowlisted_in_check(
                 or check == allowlisted_check
                 or re.search(allowlisted_check, check)
             ):
-                if is_allowlisted_in_region(
-                    allowlisted_regions,
-                    allowlisted_resources,
-                    allowlisted_tags,
-                    region,
-                    resource,
-                    tags,
+                allowlisted_in_check = True
+                allowlisted_in_region = is_allowlisted_in_region(
+                    allowlisted_regions, finding_region
+                )
+                allowlisted_in_resource = is_allowlisted_in_resource(
+                    allowlisted_resources, finding_resource
+                )
+                allowlisted_in_tags = is_allowlisted_in_tags(
+                    allowlisted_tags, finding_tags
+                )
+
+                # For a finding to be allowlisted requires the following set to True:
+                # - allowlisted_in_check -> True
+                # - allowlisted_in_region -> True
+                # - allowlisted_in_tags -> True or allowlisted_in_resource -> True
+                # - excepted -> False
+
+                if (
+                    allowlisted_in_check
+                    and allowlisted_in_region
+                    and (allowlisted_in_tags or allowlisted_in_resource)
                 ):
                     is_check_allowlisted = True
 
@@ -197,25 +245,11 @@ def is_allowlisted_in_check(
 
 
 def is_allowlisted_in_region(
-    allowlist_regions, allowlist_resources, allowlisted_tags, region, resource, tags
+    allowlisted_regions,
+    finding_region,
 ):
     try:
-        # By default is not allowlisted
-        is_region_allowlisted = False
-        # If there is a *, it affects to all regions
-        if "*" in allowlist_regions or region in allowlist_regions:
-            for elem in allowlist_resources:
-                if is_allowlisted_in_tags(
-                    allowlisted_tags,
-                    elem,
-                    resource,
-                    tags,
-                ):
-                    is_region_allowlisted = True
-                    # if we find the element there is no point in continuing with the loop
-                    break
-
-            return is_region_allowlisted
+        return __is_item_matched__(allowlisted_regions, finding_region)
     except Exception as error:
         logger.critical(
             f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
@@ -223,25 +257,9 @@ def is_allowlisted_in_region(
         sys.exit(1)
 
 
-def is_allowlisted_in_tags(allowlisted_tags, elem, resource, tags):
+def is_allowlisted_in_tags(allowlisted_tags, finding_tags):
     try:
-        # By default is not allowlisted
-        is_tag_allowlisted = False
-        # Check if it is an *
-        if elem == "*":
-            elem = ".*"
-        # Check if there are allowlisted tags
-        if allowlisted_tags:
-            for allowlisted_tag in allowlisted_tags:
-                if re.search(allowlisted_tag, tags):
-                    is_tag_allowlisted = True
-                    break
-
-        else:
-            if re.search(elem, resource):
-                is_tag_allowlisted = True
-
-        return is_tag_allowlisted
+        return __is_item_matched__(allowlisted_tags, finding_tags)
     except Exception as error:
         logger.critical(
             f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
@@ -249,7 +267,25 @@ def is_allowlisted_in_tags(allowlisted_tags, elem, resource, tags):
         sys.exit(1)
 
 
-def is_excepted(exceptions, audited_account, region, resource, tags):
+def is_allowlisted_in_resource(allowlisted_resources, finding_resource):
+    try:
+        return __is_item_matched__(allowlisted_resources, finding_resource)
+
+    except Exception as error:
+        logger.critical(
+            f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
+        )
+        sys.exit(1)
+
+
+def is_excepted(
+    exceptions,
+    audited_account,
+    finding_region,
+    finding_resource,
+    finding_tags,
+):
+    """is_excepted returns True if the account, region, resource and tags are excepted"""
     try:
         excepted = False
         is_account_excepted = False
@@ -258,39 +294,50 @@ def is_excepted(exceptions, audited_account, region, resource, tags):
         is_tag_excepted = False
         if exceptions:
             excepted_accounts = exceptions.get("Accounts", [])
+            is_account_excepted = __is_item_matched__(
+                excepted_accounts, audited_account
+            )
+
             excepted_regions = exceptions.get("Regions", [])
+            is_region_excepted = __is_item_matched__(excepted_regions, finding_region)
+
             excepted_resources = exceptions.get("Resources", [])
+            is_resource_excepted = __is_item_matched__(
+                excepted_resources, finding_resource
+            )
+
             excepted_tags = exceptions.get("Tags", [])
-            if exceptions:
-                if audited_account in excepted_accounts:
-                    is_account_excepted = True
-                if region in excepted_regions:
-                    is_region_excepted = True
-                for excepted_resource in excepted_resources:
-                    if re.search(excepted_resource, resource):
-                        is_resource_excepted = True
-                for tag in excepted_tags:
-                    if tag in tags:
-                        is_tag_excepted = True
-                if (
-                    (
-                        (excepted_accounts and is_account_excepted)
-                        or not excepted_accounts
-                    )
-                    and (
-                        (excepted_regions and is_region_excepted)
-                        or not excepted_regions
-                    )
-                    and (
-                        (excepted_resources and is_resource_excepted)
-                        or not excepted_resources
-                    )
-                    and ((excepted_tags and is_tag_excepted) or not excepted_tags)
-                ):
-                    excepted = True
+            is_tag_excepted = __is_item_matched__(excepted_tags, finding_tags)
+
+            if (
+                is_account_excepted
+                and is_region_excepted
+                and is_resource_excepted
+                and is_tag_excepted
+            ):
+                excepted = True
         return excepted
     except Exception as error:
         logger.critical(
             f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
         )
         sys.exit(1)
+
+
+def __is_item_matched__(matched_items, finding_items):
+    """__is_item_matched__ return True if any of the matched_items are present in the finding_items, otherwise returns False."""
+    try:
+        is_item_matched = False
+        if matched_items and (finding_items or finding_items == ""):
+            for item in matched_items:
+                if item == "*":
+                    item = ".*"
+                if re.search(item, finding_items):
+                    is_item_matched = True
+                    break
+        return is_item_matched
+    except Exception as error:
+        logger.critical(
+            f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
+        )
+        sys.exit(1)

prowler/providers/aws/lib/arguments/arguments.py

@@ -0,0 +1,186 @@
+from argparse import ArgumentTypeError, Namespace
+
+from prowler.providers.aws.aws_provider import get_aws_available_regions
+from prowler.providers.aws.lib.arn.arn import arn_type
+
+
+def init_parser(self):
+    """Init the AWS Provider CLI parser"""
+    aws_parser = self.subparsers.add_parser(
+        "aws", parents=[self.common_providers_parser], help="AWS Provider"
+    )
+    # Authentication Methods
+    aws_auth_subparser = aws_parser.add_argument_group("Authentication Modes")
+    aws_auth_subparser.add_argument(
+        "-p",
+        "--profile",
+        nargs="?",
+        default=None,
+        help="AWS profile to launch prowler with",
+    )
+    aws_auth_subparser.add_argument(
+        "-R",
+        "--role",
+        nargs="?",
+        default=None,
+        help="ARN of the role to be assumed",
+        # Pending ARN validation
+    )
+    aws_auth_subparser.add_argument(
+        "--sts-endpoint-region",
+        nargs="?",
+        default=None,
+        help="Specify the AWS STS endpoint region to use. Read more at https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html",
+    )
+    aws_auth_subparser.add_argument(
+        "--mfa",
+        action="store_true",
+        help="IAM entity enforces MFA so you need to input the MFA ARN and the TOTP",
+    )
+    aws_auth_subparser.add_argument(
+        "-T",
+        "--session-duration",
+        nargs="?",
+        default=3600,
+        type=validate_session_duration,
+        help="Assumed role session duration in seconds, must be between 900 and 43200. Default: 3600",
+        # Pending session duration validation
+    )
+    aws_auth_subparser.add_argument(
+        "-I",
+        "--external-id",
+        nargs="?",
+        default=None,
+        help="External ID to be passed when assuming role",
+    )
+    # AWS Regions
+    aws_regions_subparser = aws_parser.add_argument_group("AWS Regions")
+    aws_regions_subparser.add_argument(
+        "-f",
+        "--region",
+        "--filter-region",
+        nargs="+",
+        help="AWS region names to run Prowler against",
+        choices=get_aws_available_regions(),
+    )
+    # AWS Organizations
+    aws_orgs_subparser = aws_parser.add_argument_group("AWS Organizations")
+    aws_orgs_subparser.add_argument(
+        "-O",
+        "--organizations-role",
+        nargs="?",
+        help="Specify AWS Organizations management role ARN to be assumed, to get Organization metadata",
+    )
+    # AWS Security Hub
+    aws_security_hub_subparser = aws_parser.add_argument_group("AWS Security Hub")
+    aws_security_hub_subparser.add_argument(
+        "-S",
+        "--security-hub",
+        action="store_true",
+        help="Send check output to AWS Security Hub",
+    )
+    aws_security_hub_subparser.add_argument(
+        "--skip-sh-update",
+        action="store_true",
+        help="Skip updating previous findings of Prowler in Security Hub",
+    )
+    # AWS Quick Inventory
+    aws_quick_inventory_subparser = aws_parser.add_argument_group("Quick Inventory")
+    aws_quick_inventory_subparser.add_argument(
+        "-i",
+        "--quick-inventory",
+        action="store_true",
+        help="Run Prowler Quick Inventory. The inventory will be stored in an output csv by default",
+    )
+    # AWS Outputs
+    aws_outputs_subparser = aws_parser.add_argument_group("AWS Outputs to S3")
+    aws_outputs_bucket_parser = aws_outputs_subparser.add_mutually_exclusive_group()
+    aws_outputs_bucket_parser.add_argument(
+        "-B",
+        "--output-bucket",
+        nargs="?",
+        default=None,
+        help="Custom output bucket, requires -M <mode> and it can work also with -o flag.",
+    )
+    aws_outputs_bucket_parser.add_argument(
+        "-D",
+        "--output-bucket-no-assume",
+        nargs="?",
+        default=None,
+        help="Same as -B but do not use the assumed role credentials to put objects to the bucket, instead uses the initial credentials.",
+    )
+    aws_3rd_party_subparser = aws_parser.add_argument_group("3rd Party Integrations")
+    aws_3rd_party_subparser.add_argument(
+        "-N",
+        "--shodan",
+        nargs="?",
+        default=None,
+        help="Shodan API key used by check ec2_elastic_ip_shodan.",
+    )
+    # Allowlist
+    allowlist_subparser = aws_parser.add_argument_group("Allowlist")
+    allowlist_subparser.add_argument(
+        "-w",
+        "--allowlist-file",
+        nargs="?",
+        default=None,
+        help="Path for allowlist yaml file. See example prowler/config/aws_allowlist.yaml for reference and format. It also accepts AWS DynamoDB Table or Lambda ARNs or S3 URIs, see more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/",
+    )
+    # Based Scans
+    aws_based_scans_subparser = aws_parser.add_argument_group("AWS Based Scans")
+    aws_based_scans_parser = aws_based_scans_subparser.add_mutually_exclusive_group()
+    aws_based_scans_parser.add_argument(
+        "--resource-tags",
+        nargs="+",
+        default=None,
+        help="Scan only resources with specific AWS Tags (Key=Value), e.g., Environment=dev Project=prowler",
+    )
+    aws_based_scans_parser.add_argument(
+        "--resource-arn",
+        nargs="+",
+        type=arn_type,
+        default=None,
+        help="Scan only resources with specific AWS Resource ARNs, e.g., arn:aws:iam::012345678910:user/test arn:aws:ec2:us-east-1:123456789012:vpc/vpc-12345678",
+    )
+
+    # Boto3 Config
+    boto3_config_subparser = aws_parser.add_argument_group("Boto3 Config")
+    boto3_config_subparser.add_argument(
+        "--aws-retries-max-attempts",
+        nargs="?",
+        default=None,
+        type=int,
+        help="Set the maximum attemps for the Boto3 standard retrier config (Default: 3)",
+    )
+
+    # Ignore Unused Services
+    ignore_unused_services_subparser = aws_parser.add_argument_group(
+        "Ignore Unused Services"
+    )
+    ignore_unused_services_subparser.add_argument(
+        "--ignore-unused-services",
+        action="store_true",
+        help="Ignore findings in unused services",
+    )
+
+
+def validate_session_duration(duration):
+    """validate_session_duration validates that the AWS STS Assume Role Session Duration is between 900 and 43200 seconds."""
+    duration = int(duration)
+    # Since the range(i,j) goes from i to j-1 we have to j+1
+    if duration not in range(900, 43201):
+        raise ArgumentTypeError("Session duration must be between 900 and 43200")
+    return duration
+
+
+def validate_arguments(arguments: Namespace) -> tuple[bool, str]:
+    """validate_arguments returns {True, "} if the provider arguments passed are valid and can be used together. It performs an extra validation, specific for the AWS provider, apart from the argparse lib."""
+
+    # Handle if session_duration is not the default value or external_id is set
+    if (
+        arguments.session_duration and arguments.session_duration != 3600
+    ) or arguments.external_id:
+        if not arguments.role:
+            return (False, "To use -I/-T options -R option is needed")
+
+    return (True, "")

prowler/providers/aws/lib/arn/arn.py

@@ -1,5 +1,5 @@
 import re
-from argparse import ArgumentError
+from argparse import ArgumentTypeError
 
 from prowler.providers.aws.lib.arn.error import (
     RoleArnParsingEmptyResource,
@@ -15,7 +15,7 @@ from prowler.providers.aws.lib.arn.models import ARN
 def arn_type(arn: str) -> bool:
     """arn_type returns a string ARN if it is valid and raises an argparse.ArgumentError if not."""
     if not is_valid_arn(arn):
-        raise ArgumentError("Invalid ARN")
+        raise ArgumentTypeError(f"Invalid ARN {arn}")
     return arn
 
 
@@ -55,5 +55,5 @@ def parse_iam_credentials_arn(arn: str) -> ARN:
 
 def is_valid_arn(arn: str) -> bool:
     """is_valid_arn returns True or False whether the given AWS ARN (Amazon Resource Name) is valid or not."""
-    regex = r"^arn:aws(-cn|-us-gov|-iso|-iso-b)?:[a-zA-Z0-9\-]+:([a-z]{2}-[a-z]+-\d{1})?:(\d{12})?:[a-zA-Z0-9\-_\/:]+(:\d+)?$"
+    regex = r"^arn:aws(-cn|-us-gov|-iso|-iso-b)?:[a-zA-Z0-9\-]+:([a-z]{2}-[a-z]+-\d{1})?:(\d{12})?:[a-zA-Z0-9\-_\/:\.]+(:\d+)?$"
     return re.match(regex, arn) is not None

prowler/providers/aws/lib/audit_info/audit_info.py

@@ -37,4 +37,5 @@ current_audit_info = AWS_Audit_Info(
     organizations_metadata=None,
     audit_metadata=None,
     audit_config=None,
+    ignore_unused_services=False,
 )

prowler/providers/aws/lib/audit_info/models.py

@@ -52,3 +52,4 @@ class AWS_Audit_Info:
     organizations_metadata: AWS_Organizations_Info
     audit_metadata: Optional[Any] = None
     audit_config: Optional[dict] = None
+    ignore_unused_services: bool = False

prowler/providers/aws/lib/credentials/credentials.py

@@ -29,7 +29,7 @@ def validate_aws_credentials(
             # Get the first region passed to the -f/--region
             aws_region = input_regions[0]
 
-        validate_credentials_client = session.client("sts", aws_region)
+        validate_credentials_client = create_sts_session(session, aws_region)
         caller_identity = validate_credentials_client.get_caller_identity()
         # Include the region where the caller_identity has validated the credentials
         caller_identity["region"] = aws_region
@@ -64,3 +64,11 @@ Caller Identity ARN: {Fore.YELLOW}[{audit_info.audited_identity_arn}]{Style.RESE
         report += f"""Assumed Role ARN: {Fore.YELLOW}[{audit_info.assumed_role_info.role_arn}]{Style.RESET_ALL}
 """
     print(report)
+
+
+def create_sts_session(
+    session: session.Session, aws_region: str
+) -> session.Session.client:
+    return session.client(
+        "sts", aws_region, endpoint_url=f"https://sts.{aws_region}.amazonaws.com"
+    )

prowler/providers/aws/lib/policy_condition_parser/policy_condition_parser.py

@@ -1,31 +1,53 @@
-# lista de cuentas y te devuelva las válidas
 def is_account_only_allowed_in_condition(
     condition_statement: dict, source_account: str
 ):
+    """
+    is_account_only_allowed_in_condition parses the IAM Condition policy block and returns True if the source_account passed as argument is within, False if not.
+
+    @param condition_statement: dict with an IAM Condition block, e.g.:
+        {
+            "StringLike": {
+                "AWS:SourceAccount": 111122223333
+            }
+        }
+
+    @param source_account: str with a 12-digit AWS Account number, e.g.: 111122223333
+    """
     is_condition_valid = False
+
+    # The conditions must be defined in lowercase since the context key names are not case-sensitive.
+    # For example, including the aws:SourceAccount context key is equivalent to testing for AWS:SourceAccount
+    # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html
     valid_condition_options = {
         "StringEquals": [
-            "aws:SourceAccount",
-            "aws:SourceOwner",
-            "s3:ResourceAccount",
-            "aws:PrincipalAccount",
-            "aws:ResourceAccount",
+            "aws:sourceaccount",
+            "aws:sourceowner",
+            "s3:resourceaccount",
+            "aws:principalaccount",
+            "aws:resourceaccount",
+            "aws:sourcearn",
         ],
         "StringLike": [
-            "aws:SourceAccount",
-            "aws:SourceOwner",
-            "aws:SourceArn",
-            "aws:PrincipalArn",
-            "aws:ResourceAccount",
-            "aws:PrincipalAccount",
+            "aws:sourceaccount",
+            "aws:sourceowner",
+            "aws:sourcearn",
+            "aws:principalarn",
+            "aws:resourceaccount",
+            "aws:principalaccount",
         ],
-        "ArnLike": ["aws:SourceArn", "aws:PrincipalArn"],
-        "ArnEquals": ["aws:SourceArn", "aws:PrincipalArn"],
+        "ArnLike": ["aws:sourcearn", "aws:principalarn"],
+        "ArnEquals": ["aws:sourcearn", "aws:principalarn"],
     }
 
     for condition_operator, condition_operator_key in valid_condition_options.items():
         if condition_operator in condition_statement:
             for value in condition_operator_key:
+                # We need to transform the condition_statement into lowercase
+                condition_statement[condition_operator] = {
+                    k.lower(): v
+                    for k, v in condition_statement[condition_operator].items()
+                }
+
                 if value in condition_statement[condition_operator]:
                     # values are a list
                     if isinstance(
@@ -34,12 +56,15 @@ def is_account_only_allowed_in_condition(
                     ):
                         # if there is an arn/account without the source account -> we do not consider it safe
                         # here by default we assume is true and look for false entries
-                        is_condition_valid = True
+                        is_condition_key_restrictive = True
                         for item in condition_statement[condition_operator][value]:
                             if source_account not in item:
-                                is_condition_valid = False
+                                is_condition_key_restrictive = False
                                 break
 
+                        if is_condition_key_restrictive:
+                            is_condition_valid = True
+
                     # value is a string
                     elif isinstance(
                         condition_statement[condition_operator][value],

prowler/providers/aws/lib/quick_inventory/quick_inventory.py

@@ -14,9 +14,9 @@ from prowler.config.config import (
     output_file_timestamp,
 )
 from prowler.lib.logger import logger
-from prowler.lib.outputs.outputs import send_to_s3_bucket
 from prowler.providers.aws.lib.arn.models import get_arn_resource_type
 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
+from prowler.providers.aws.lib.s3.s3 import send_to_s3_bucket
 
 
 def quick_inventory(audit_info: AWS_Audit_Info, args):

prowler/providers/aws/lib/s3/s3.py

@@ -0,0 +1,55 @@
+import sys
+
+from prowler.config.config import (
+    csv_file_suffix,
+    html_file_suffix,
+    json_asff_file_suffix,
+    json_file_suffix,
+    json_ocsf_file_suffix,
+)
+from prowler.lib.logger import logger
+
+
+def send_to_s3_bucket(
+    output_filename, output_directory, output_mode, output_bucket_name, audit_session
+):
+    try:
+        filename = ""
+        # Get only last part of the path
+        if output_mode == "csv":
+            filename = f"{output_filename}{csv_file_suffix}"
+        elif output_mode == "json":
+            filename = f"{output_filename}{json_file_suffix}"
+        elif output_mode == "json-asff":
+            filename = f"{output_filename}{json_asff_file_suffix}"
+        elif output_mode == "json-ocsf":
+            filename = f"{output_filename}{json_ocsf_file_suffix}"
+        elif output_mode == "html":
+            filename = f"{output_filename}{html_file_suffix}"
+        else:  # Compliance output mode
+            filename = f"{output_filename}_{output_mode}{csv_file_suffix}"
+
+        logger.info(f"Sending outputs to S3 bucket {output_bucket_name}")
+        # File location
+        file_name = output_directory + "/" + filename
+
+        # S3 Object name
+        bucket_directory = get_s3_object_path(output_directory)
+        object_name = bucket_directory + "/" + output_mode + "/" + filename
+
+        s3_client = audit_session.client("s3")
+        s3_client.upload_file(file_name, output_bucket_name, object_name)
+
+    except Exception as error:
+        logger.critical(
+            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+        )
+        sys.exit(1)
+
+
+def get_s3_object_path(output_directory: str) -> str:
+    bucket_remote_dir = output_directory
+    if "prowler/" in bucket_remote_dir:  # Check if it is not a custom directory
+        bucket_remote_dir = bucket_remote_dir.partition("prowler/")[-1]
+
+    return bucket_remote_dir

prowler/providers/aws/lib/security_hub/security_hub.py

@@ -1,52 +1,106 @@
-import json
-from itertools import groupby
-from operator import itemgetter
-
 from boto3 import session
 
-from prowler.config.config import json_asff_file_suffix, timestamp_utc
+from prowler.config.config import timestamp_utc
 from prowler.lib.logger import logger
+from prowler.lib.outputs.json import fill_json_asff
 from prowler.lib.outputs.models import Check_Output_JSON_ASFF
 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
 
+SECURITY_HUB_INTEGRATION_NAME = "prowler/prowler"
+SECURITY_HUB_MAX_BATCH = 100
 
-def send_to_security_hub(
-    is_quiet: bool,
-    finding_status: str,
+
+def prepare_security_hub_findings(
+    findings: [], audit_info: AWS_Audit_Info, output_options, enabled_regions: []
+) -> dict:
+    security_hub_findings_per_region = {}
+    # Create a key per region
+    for region in audit_info.audited_regions:
+        security_hub_findings_per_region[region] = []
+    for finding in findings:
+        # We don't send the INFO findings to AWS Security Hub
+        if finding.status == "INFO":
+            continue
+
+        # We don't send findings to not enabled regions
+        if finding.region not in enabled_regions:
+            continue
+
+        # Handle quiet mode
+        if output_options.is_quiet and finding.status != "FAIL":
+            continue
+
+        # Get the finding region
+        region = finding.region
+
+        # Format the finding in the JSON ASFF format
+        finding_json_asff = fill_json_asff(
+            Check_Output_JSON_ASFF(), audit_info, finding, output_options
+        )
+
+        # Include that finding within their region in the JSON format
+        security_hub_findings_per_region[region].append(
+            finding_json_asff.dict(exclude_none=True)
+        )
+
+    return security_hub_findings_per_region
+
+
+def verify_security_hub_integration_enabled_per_region(
     region: str,
-    finding_output: Check_Output_JSON_ASFF,
+    session: session.Session,
+) -> bool:
+    f"""verify_security_hub_integration_enabled returns True if the {SECURITY_HUB_INTEGRATION_NAME} is enabled for the given region. Otherwise returns false."""
+    prowler_integration_enabled = False
+
+    try:
+        logger.info(
+            f"Checking if the {SECURITY_HUB_INTEGRATION_NAME} is enabled in the {region} region."
+        )
+        # Check if security hub is enabled in current region
+        security_hub_client = session.client("securityhub", region_name=region)
+        security_hub_client.describe_hub()
+
+        # Check if Prowler integration is enabled in Security Hub
+        if "prowler/prowler" not in str(
+            security_hub_client.list_enabled_products_for_import()
+        ):
+            logger.error(
+                f"Security Hub is enabled in {region} but Prowler integration does not accept findings. More info: https://docs.prowler.cloud/en/latest/tutorials/aws/securityhub/"
+            )
+        else:
+            prowler_integration_enabled = True
+
+    except Exception as error:
+        logger.error(
+            f"{error.__class__.__name__} -- [{error.__traceback__.tb_lineno}]:{error} in region {region}"
+        )
+
+    finally:
+        return prowler_integration_enabled
+
+
+def batch_send_to_security_hub(
+    security_hub_findings_per_region: dict,
     session: session.Session,
 ) -> int:
     """
-    send_to_security_hub send each finding to Security Hub and return the number of findings that were successfully sent
+    send_to_security_hub sends findings to Security Hub and returns the number of findings that were successfully sent.
     """
+
     success_count = 0
     try:
-        # Check if -q option is set
-        if not is_quiet or (is_quiet and finding_status == "FAIL"):
-            logger.info("Sending findings to Security Hub.")
-            # Check if security hub is enabled in current region
-            security_hub_client = session.client("securityhub", region_name=region)
-            security_hub_client.describe_hub()
+        # Iterate findings by region
+        for region, findings in security_hub_findings_per_region.items():
+            # Send findings to Security Hub
+            logger.info(f"Sending findings to Security Hub in the region {region}")
+
+            security_hub_client = session.client("securityhub", region_name=region)
+
+            success_count = __send_findings_to_security_hub__(
+                findings, region, security_hub_client
+            )
 
-            # Check if Prowler integration is enabled in Security Hub
-            if "prowler/prowler" not in str(
-                security_hub_client.list_enabled_products_for_import()
-            ):
-                logger.error(
-                    f"Security Hub is enabled in {region} but Prowler integration does not accept findings. More info: https://docs.prowler.cloud/en/latest/tutorials/aws/securityhub/"
-                )
-            else:
-                # Send finding to Security Hub
-                batch_import = security_hub_client.batch_import_findings(
-                    Findings=[finding_output.dict()]
-                )
-                if batch_import["FailedCount"] > 0:
-                    failed_import = batch_import["FailedFindings"][0]
-                    logger.error(
-                        f"Failed to send archived findings to AWS Security Hub -- {failed_import['ErrorCode']} -- {failed_import['ErrorMessage']}"
-                    )
-                success_count = batch_import["SuccessCount"]
     except Exception as error:
         logger.error(
             f"{error.__class__.__name__} -- [{error.__traceback__.tb_lineno}]:{error} in region {region}"
@@ -56,29 +110,16 @@ def send_to_security_hub(
 
 # Move previous Security Hub check findings to ARCHIVED (as prowler didn't re-detect them)
 def resolve_security_hub_previous_findings(
-    output_directory: str, output_filename: str, audit_info: AWS_Audit_Info
+    security_hub_findings_per_region: dict, audit_info: AWS_Audit_Info
 ) -> list:
     """
     resolve_security_hub_previous_findings archives all the findings that does not appear in the current execution
     """
     logger.info("Checking previous findings in Security Hub to archive them.")
-    # Read current findings from json-asff file
-    with open(f"{output_directory}/{output_filename}{json_asff_file_suffix}") as f:
-        json_asff_file = json.load(f)
-
-    # Sort by region
-    json_asff_file = sorted(json_asff_file, key=itemgetter("ProductArn"))
-    # Group by region
-    for product_arn, current_findings in groupby(
-        json_asff_file, key=itemgetter("ProductArn")
-    ):
-        region = product_arn.split(":")[3]
+    success_count = 0
+    for region in security_hub_findings_per_region.keys():
         try:
-            # Check if security hub is enabled in current region
-            security_hub_client = audit_info.audit_session.client(
-                "securityhub", region_name=region
-            )
-            security_hub_client.describe_hub()
+            current_findings = security_hub_findings_per_region[region]
             # Get current findings IDs
             current_findings_ids = []
             for finding in current_findings:
@@ -108,21 +149,41 @@ def resolve_security_hub_previous_findings(
 
                         findings_to_archive.append(finding)
             logger.info(f"Archiving {len(findings_to_archive)} findings.")
+
             # Send archive findings to SHub
-            list_chunked = [
-                findings_to_archive[i : i + 100]
-                for i in range(0, len(findings_to_archive), 100)
-            ]
-            for findings in list_chunked:
-                batch_import = security_hub_client.batch_import_findings(
-                    Findings=findings
-                )
-                if batch_import["FailedCount"] > 0:
-                    failed_import = batch_import["FailedFindings"][0]
-                    logger.error(
-                        f"Failed to send archived findings to AWS Security Hub -- {failed_import['ErrorCode']} -- {failed_import['ErrorMessage']}"
-                    )
+            success_count += __send_findings_to_security_hub__(
+                findings_to_archive, region, security_hub_client
+            )
         except Exception as error:
             logger.error(
                 f"{error.__class__.__name__} -- [{error.__traceback__.tb_lineno}]:{error} in region {region}"
             )
+    return success_count
+
+
+def __send_findings_to_security_hub__(
+    findings: [dict], region: str, security_hub_client
+):
+    """Private function send_findings_to_security_hub chunks the findings in groups of 100 findings and send them to AWS Security Hub. It returns the number of sent findings."""
+    success_count = 0
+    try:
+        list_chunked = [
+            findings[i : i + SECURITY_HUB_MAX_BATCH]
+            for i in range(0, len(findings), SECURITY_HUB_MAX_BATCH)
+        ]
+
+        for findings in list_chunked:
+            batch_import = security_hub_client.batch_import_findings(Findings=findings)
+            if batch_import["FailedCount"] > 0:
+                failed_import = batch_import["FailedFindings"][0]
+                logger.error(
+                    f"Failed to send findings to AWS Security Hub -- {failed_import['ErrorCode']} -- {failed_import['ErrorMessage']}"
+                )
+            success_count += batch_import["SuccessCount"]
+
+    except Exception as error:
+        logger.error(
+            f"{error.__class__.__name__} -- [{error.__traceback__.tb_lineno}]:{error} in region {region}"
+        )
+    finally:
+        return success_count

prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.py

@@ -10,29 +10,27 @@ class accessanalyzer_enabled(Check):
         for analyzer in accessanalyzer_client.analyzers:
             report = Check_Report_AWS(self.metadata())
             report.region = analyzer.region
+            report.resource_id = analyzer.name
+            report.resource_arn = analyzer.arn
+            report.resource_tags = analyzer.tags
             if analyzer.status == "ACTIVE":
                 report.status = "PASS"
                 report.status_extended = (
                     f"IAM Access Analyzer {analyzer.name} is enabled."
                 )
-                report.resource_id = analyzer.name
-                report.resource_arn = analyzer.arn
-                report.resource_tags = analyzer.tags
 
             elif analyzer.status == "NOT_AVAILABLE":
                 report.status = "FAIL"
                 report.status_extended = (
                     f"IAM Access Analyzer in account {analyzer.name} is not enabled."
                 )
-                report.resource_id = analyzer.name
+
             else:
                 report.status = "FAIL"
                 report.status_extended = (
                     f"IAM Access Analyzer {analyzer.name} is not active."
                 )
-                report.resource_id = analyzer.name
-                report.resource_arn = analyzer.arn
-                report.resource_tags = analyzer.tags
+
             findings.append(report)
 
         return findings

prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled_without_findings/accessanalyzer_enabled_without_findings.py

@@ -12,9 +12,7 @@ class accessanalyzer_enabled_without_findings(Check):
             report.region = analyzer.region
             if analyzer.status == "ACTIVE":
                 report.status = "PASS"
-                report.status_extended = (
-                    f"IAM Access Analyzer {analyzer.name} does not have active findings"
-                )
+                report.status_extended = f"IAM Access Analyzer {analyzer.name} does not have active findings."
                 report.resource_id = analyzer.name
                 report.resource_arn = analyzer.arn
                 report.resource_tags = analyzer.tags
@@ -26,24 +24,10 @@ class accessanalyzer_enabled_without_findings(Check):
 
                     if active_finding_counter > 0:
                         report.status = "FAIL"
-                        report.status_extended = f"IAM Access Analyzer {analyzer.name} has {active_finding_counter} active findings"
+                        report.status_extended = f"IAM Access Analyzer {analyzer.name} has {active_finding_counter} active findings."
                         report.resource_id = analyzer.name
                         report.resource_arn = analyzer.arn
                         report.resource_tags = analyzer.tags
-            elif analyzer.status == "NOT_AVAILABLE":
-                report.status = "FAIL"
-                report.status_extended = (
-                    f"IAM Access Analyzer in account {analyzer.name} is not enabled"
-                )
-                report.resource_id = analyzer.name
-            else:
-                report.status = "FAIL"
-                report.status_extended = (
-                    f"IAM Access Analyzer {analyzer.name} is not active"
-                )
-                report.resource_id = analyzer.name
-                report.resource_arn = analyzer.arn
-                report.resource_tags = analyzer.tags
-            findings.append(report)
+                findings.append(report)
 
         return findings

prowler/providers/aws/services/accessanalyzer/accessanalyzer_service.py

@@ -43,7 +43,7 @@ class AccessAnalyzer(AWSService):
             if analyzer_count == 0:
                 self.analyzers.append(
                     Analyzer(
-                        arn="",
+                        arn=self.audited_account_arn,
                         name=self.audited_account,
                         status="NOT_AVAILABLE",
                         tags=[],

prowler/providers/aws/services/account/account_maintain_different_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.metadata.json

@@ -0,0 +1,32 @@
+{
+  "Provider": "aws",
+  "CheckID": "account_maintain_different_contact_details_to_security_billing_and_operations",
+  "CheckTitle": "Maintain different contact details to security, billing and operations.",
+  "CheckType": [
+    "IAM"
+  ],
+  "ServiceName": "account",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:access-recorder:region:account-id:recorder/resource-id",
+  "Severity": "medium",
+  "ResourceType": "Other",
+  "Description": "Maintain different contact details to security, billing and operations.",
+  "Risk": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details; and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner; AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation; proactive measures may be taken; including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.",
+  "RelatedUrl": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "https://docs.bridgecrew.io/docs/iam_18-maintain-contact-details#aws-console",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Using the Billing and Cost Management console complete contact details.",
+      "Url": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/aws/services/account/account_maintain_different_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.py

@@ -0,0 +1,27 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.account.account_client import account_client
+
+
+class account_maintain_different_contact_details_to_security_billing_and_operations(
+    Check
+):
+    def execute(self):
+        report = Check_Report_AWS(self.metadata())
+        report.region = account_client.region
+        report.resource_id = account_client.audited_account
+        report.resource_arn = account_client.audited_account_arn
+
+        if (
+            len(account_client.contact_phone_numbers)
+            == account_client.number_of_contacts
+            and len(account_client.contact_names) == account_client.number_of_contacts
+            # This is because the primary contact has no email field
+            and len(account_client.contact_emails)
+            == account_client.number_of_contacts - 1
+        ):
+            report.status = "PASS"
+            report.status_extended = "SECURITY, BILLING and OPERATIONS contacts found and they are different between each other and between ROOT contact."
+        else:
+            report.status = "FAIL"
+            report.status_extended = "SECURITY, BILLING and OPERATIONS contacts not found or they are not different between each other and between ROOT contact."
+        return [report]

prowler/providers/aws/services/account/account_service.py

@@ -1,4 +1,10 @@
 ################## Account
+from typing import Optional
+from venv import logger
+
+from botocore.client import ClientError
+from pydantic import BaseModel
+
 from prowler.providers.aws.lib.service.service import AWSService
 
 
@@ -6,6 +12,89 @@ class Account(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__(__class__.__name__, audit_info)
+        self.number_of_contacts = 4
+        self.contact_base = self.__get_contact_information__()
+        self.contacts_billing = self.__get_alternate_contact__("BILLING")
+        self.contacts_security = self.__get_alternate_contact__("SECURITY")
+        self.contacts_operations = self.__get_alternate_contact__("OPERATIONS")
+
+        # Set of contact phone numbers
+        self.contact_phone_numbers = {
+            self.contact_base.phone_number,
+            self.contacts_billing.phone_number,
+            self.contacts_security.phone_number,
+            self.contacts_operations.phone_number,
+        }
+
+        # Set of contact names
+        self.contact_names = {
+            self.contact_base.name,
+            self.contacts_billing.name,
+            self.contacts_security.name,
+            self.contacts_operations.name,
+        }
+
+        # Set of contact emails
+        self.contact_emails = {
+            self.contacts_billing.email,
+            self.contacts_security.email,
+            self.contacts_operations.email,
+        }
+
+    def __get_contact_information__(self):
+        try:
+            primary_account_contact = self.client.get_contact_information()[
+                "ContactInformation"
+            ]
+
+            return Contact(
+                type="PRIMARY",
+                name=primary_account_contact.get("FullName"),
+                phone_number=primary_account_contact.get("PhoneNumber"),
+            )
+        except Exception as error:
+            logger.error(
+                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            return Contact(type="PRIMARY")
+
+    def __get_alternate_contact__(self, contact_type: str):
+        try:
+            account_contact = self.client.get_alternate_contact(
+                AlternateContactType=contact_type
+            )["AlternateContact"]
+
+            return Contact(
+                type=contact_type,
+                email=account_contact.get("EmailAddress"),
+                name=account_contact.get("Name"),
+                phone_number=account_contact.get("PhoneNumber"),
+            )
+
+        except ClientError as error:
+            if (
+                error.response["Error"]["Code"] == "ResourceNotFoundException"
+                and error.response["Error"]["Message"]
+                == "No contact of the inputted alternate contact type found."
+            ):
+                logger.warning(
+                    f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+            return Contact(
+                type=contact_type,
+            )
+
+        except Exception as error:
+            logger.error(
+                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            return Contact(
+                type=contact_type,
+            )
 
 
-### This service don't need boto3 calls
+class Contact(BaseModel):
+    type: str
+    email: Optional[str]
+    name: Optional[str]
+    phone_number: Optional[str]

prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py

@@ -12,14 +12,16 @@ class acm_certificates_expiration_check(Check):
             report.region = certificate.region
             if certificate.expiration_days > DAYS_TO_EXPIRE_THRESHOLD:
                 report.status = "PASS"
-                report.status_extended = f"ACM Certificate for {certificate.name} expires in {certificate.expiration_days} days."
-                report.resource_id = certificate.name
+                report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} expires in {certificate.expiration_days} days."
+                report.resource_id = certificate.id
+                report.resource_details = certificate.name
                 report.resource_arn = certificate.arn
                 report.resource_tags = certificate.tags
             else:
                 report.status = "FAIL"
-                report.status_extended = f"ACM Certificate for {certificate.name} is about to expire in {DAYS_TO_EXPIRE_THRESHOLD} days."
-                report.resource_id = certificate.name
+                report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is about to expire in {DAYS_TO_EXPIRE_THRESHOLD} days."
+                report.resource_id = certificate.id
+                report.resource_details = certificate.name
                 report.resource_arn = certificate.arn
                 report.resource_tags = certificate.tags