fix(config/html): handle encoding issues and improve error handling in config and HTML file loading functions (#4203)

Co-authored-by: Sergio <sergio@prowler.com>

README.md

@@ -60,7 +60,7 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe
 
 | Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) |
 |---|---|---|---|---|
-| AWS | 359 | 66 -> `prowler aws --list-services` | 28 -> `prowler aws --list-compliance` | 7 -> `prowler aws --list-categories` |
+| AWS | 360 | 66 -> `prowler aws --list-services` | 28 -> `prowler aws --list-compliance` | 7 -> `prowler aws --list-categories` |
 | GCP | 77 | 13 -> `prowler gcp --list-services` | 1 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`|
 | Azure | 127 | 16 -> `prowler azure --list-services` | 2 -> `prowler azure --list-compliance` | 2 -> `prowler azure --list-categories` |
 | Kubernetes | 83 | 7 -> `prowler kubernetes --list-services` | 1 -> `prowler kubernetes --list-compliance` | 7 -> `prowler kubernetes --list-categories` |

dashboard/config.py

@@ -21,7 +21,7 @@ muted_manual_color = "#b33696"
 critical_color = "#951649"
 high_color = "#e11d48"
 medium_color = "#ee6f15"
-low_color = "#f9f5e6"
+low_color = "#fcf45d"
 informational_color = "#3274d9"
 
 # Folder output path

dashboard/pages/overview.py

@@ -945,7 +945,7 @@ def filter_data(
         color_mapping_status = {
             "FAIL": fail_color,
             "PASS": pass_color,
-            "INFO": info_color,
+            "LOW": info_color,
             "MANUAL": manual_color,
             "WARNING": muted_fail_color,
             "MUTED (FAIL)": muted_fail_color,
@@ -1564,7 +1564,10 @@ def generate_table(data, index, color_mapping_severity, color_mapping_status):
                                                                 data.get(
                                                                     "FINDING_UID", ""
                                                                 )
-                                                            )
+                                                            ),
+                                                            style={
+                                                                "margin-left": "5px"
+                                                            },
                                                         ),
                                                     ],
                                                     style={"display": "flex"},
@@ -1644,28 +1647,10 @@ def generate_table(data, index, color_mapping_severity, color_mapping_status):
                                                                     "STATUS_EXTENDED",
                                                                     "",
                                                                 )
-                                                            )
-                                                        ),
-                                                    ],
-                                                    style={"display": "flex"},
-                                                ),
-                                                html.Div(
-                                                    [
-                                                        html.P(
-                                                            html.Strong(
-                                                                "Risk: ",
-                                                                style={
-                                                                    "margin-right": "5px"
-                                                                },
-                                                            )
-                                                        ),
-                                                        html.P(
-                                                            str(
-                                                                data.get(
-                                                                    "RISK",
-                                                                    "",
-                                                                )
-                                                            )
+                                                            ),
+                                                            style={
+                                                                "margin-left": "5px"
+                                                            },
                                                         ),
                                                     ],
                                                     style={"display": "flex"},
@@ -1689,7 +1674,10 @@ def generate_table(data, index, color_mapping_severity, color_mapping_status):
                                                             )
                                                         ),
                                                         html.P(
-                                                            str(data.get("RISK", ""))
+                                                            str(data.get("RISK", "")),
+                                                            style={
+                                                                "margin-left": "5px"
+                                                            },
                                                         ),
                                                     ],
                                                     style={"display": "flex"},
@@ -1744,7 +1732,10 @@ def generate_table(data, index, color_mapping_severity, color_mapping_status):
                                                                     "REMEDIATION_RECOMMENDATION_TEXT",
                                                                     "",
                                                                 )
-                                                            )
+                                                            ),
+                                                            style={
+                                                                "margin-left": "5px"
+                                                            },
                                                         ),
                                                     ],
                                                     style={"display": "flex"},
@@ -1772,7 +1763,10 @@ def generate_table(data, index, color_mapping_severity, color_mapping_status):
                                                                     "",
                                                                 )
                                                             ),
-                                                            style={"color": "#3182ce"},
+                                                            style={
+                                                                "color": "#3182ce",
+                                                                "margin-left": "5px",
+                                                            },
                                                         ),
                                                     ],
                                                     style={"display": "flex"},

docs/tutorials/configuration_file.md

@@ -29,19 +29,22 @@ The following list includes all the AWS checks with configurable variables that
 | `organizations_delegated_administrators`                      | `organizations_trusted_delegated_administrators` | List of Strings |
 | `ecr_repositories_scan_vulnerabilities_in_latest_image`       | `ecr_repository_vulnerability_minimum_severity`  | String          |
 | `trustedadvisor_premium_support_plan_subscribed`              | `verify_premium_support_plans`                   | Boolean         |
-| `config_recorder_all_regions_enabled`                         | `mute_non_default_regions`                  | Boolean         |
-| `drs_job_exist`                                               | `mute_non_default_regions`                  | Boolean         |
-| `guardduty_is_enabled`                                        | `mute_non_default_regions`                  | Boolean         |
-| `securityhub_enabled`                                         | `mute_non_default_regions`                  | Boolean         |
-| `cloudtrail_threat_detection_privilege_escalation`             | `threat_detection_privilege_escalation_entropy` | Integer         |
-| `cloudtrail_threat_detection_privilege_escalation`             | `threat_detection_privilege_escalation_minutes` | Integer         |
-| `cloudtrail_threat_detection_privilege_escalation`             | `threat_detection_privilege_escalation_actions` | List of Strings         |
-| `cloudtrail_threat_detection_enumeration`                      | `threat_detection_enumeration_entropy`      | Integer         |
-| `cloudtrail_threat_detection_enumeration`                      | `threat_detection_enumeration_minutes`      | Integer         |
-| `cloudtrail_threat_detection_enumeration`                      | `threat_detection_enumeration_actions`      | List of Strings         |
-| `rds_instance_backup_enabled`                                  | `check_rds_instance_replicas`      | Boolean        |
-| `ec2_securitygroup_allow_ingress_from_internet_to_any_port`    | `ec2_allowed_interface_types`      | List of Strings        |
-| `ec2_securitygroup_allow_ingress_from_internet_to_any_port`    | `ec2_allowed_instance_owners`      | List of Strings        |
+| `config_recorder_all_regions_enabled`                         | `mute_non_default_regions`                       | Boolean         |
+| `drs_job_exist`                                               | `mute_non_default_regions`                       | Boolean         |
+| `guardduty_is_enabled`                                        | `mute_non_default_regions`                       | Boolean         |
+| `securityhub_enabled`                                         | `mute_non_default_regions`                       | Boolean         |
+| `cloudtrail_threat_detection_privilege_escalation`            | `threat_detection_privilege_escalation_entropy`  | Integer         |
+| `cloudtrail_threat_detection_privilege_escalation`            | `threat_detection_privilege_escalation_minutes`  | Integer         |
+| `cloudtrail_threat_detection_privilege_escalation`            | `threat_detection_privilege_escalation_actions`  | List of Strings |
+| `cloudtrail_threat_detection_enumeration`                     | `threat_detection_enumeration_entropy`           | Integer         |
+| `cloudtrail_threat_detection_enumeration`                     | `threat_detection_enumeration_minutes`           | Integer         |
+| `cloudtrail_threat_detection_enumeration`                     | `threat_detection_enumeration_actions`           | List of Strings |
+| `rds_instance_backup_enabled`                                 | `check_rds_instance_replicas`                    | Boolean         |
+| `ec2_securitygroup_allow_ingress_from_internet_to_any_port`   | `ec2_allowed_interface_types`                    | List of Strings |
+| `ec2_securitygroup_allow_ingress_from_internet_to_any_port`   | `ec2_allowed_instance_owners`                    | List of Strings |
+| `acm_certificates_expiration_check`                           | `days_to_expire_threshold`                       | Integer         |
+
+
 ## Azure
 
 ### Configurable Checks
@@ -80,10 +83,20 @@ The following list includes all the Azure checks with configurable variables tha
 ```yaml title="config.yaml"
 # AWS Configuration
 aws:
-
   # AWS Global Configuration
-  # aws.mute_non_default_regions --> Mute Failed Findings in non-default regions for GuardDuty, SecurityHub, DRS and Config
+  # aws.mute_non_default_regions --> Set to True to muted failed findings in non-default regions for AccessAnalyzer, GuardDuty, SecurityHub, DRS and Config
   mute_non_default_regions: False
+  # If you want to mute failed findings only in specific regions, create a file with the following syntax and run it with `prowler aws -w mutelist.yaml`:
+  # Mutelist:
+  #  Accounts:
+  #   "*":
+  #     Checks:
+  #       "*":
+  #         Regions:
+  #           - "ap-southeast-1"
+  #           - "ap-southeast-2"
+  #         Resources:
+  #           - "*"
 
   # AWS IAM Configuration
   # aws.iam_user_accesskey_unused --> CIS recommends 45 days
@@ -93,6 +106,7 @@ aws:
 
   # AWS EC2 Configuration
   # aws.ec2_elastic_ip_shodan
+  # TODO: create common config
   shodan_api_key: null
   # aws.ec2_securitygroup_with_many_ingress_egress_rules --> by default is 50 rules
   max_security_group_rules: 50
@@ -102,13 +116,13 @@ aws:
   # allowed network interface types for security groups open to the Internet
   ec2_allowed_interface_types:
     [
-      "api_gateway_managed",
-      "vpc_endpoint",
+        "api_gateway_managed",
+        "vpc_endpoint",
     ]
   # allowed network interface owners for security groups open to the Internet
   ec2_allowed_instance_owners:
     [
-      "amazon-elb"
+        "amazon-elb"
     ]
 
   # AWS VPC Configuration (vpc_endpoint_connections_trust_boundaries, vpc_endpoint_services_allowed_principals_trust_boundaries)
@@ -133,205 +147,222 @@ aws:
   # aws.awslambda_function_using_supported_runtimes
   obsolete_lambda_runtimes:
     [
+      "java8",
+      "go1.x",
+      "provided",
       "python3.6",
       "python2.7",
+      "python3.7",
       "nodejs4.3",
       "nodejs4.3-edge",
       "nodejs6.10",
       "nodejs",
       "nodejs8.10",
       "nodejs10.x",
+      "nodejs12.x",
+      "nodejs14.x",
+      "dotnet5.0",
       "dotnetcore1.0",
       "dotnetcore2.0",
       "dotnetcore2.1",
+      "dotnetcore3.1",
       "ruby2.5",
+      "ruby2.7",
     ]
 
   # AWS Organizations
-  # organizations_scp_check_deny_regions
-  # organizations_enabled_regions: [
-  #   'eu-central-1',
-  #   'eu-west-1',
+  # aws.organizations_scp_check_deny_regions
+  # aws.organizations_enabled_regions: [
+  #   "eu-central-1",
+  #   "eu-west-1",
   #   "us-east-1"
   # ]
   organizations_enabled_regions: []
   organizations_trusted_delegated_administrators: []
 
   # AWS ECR
-  # ecr_repositories_scan_vulnerabilities_in_latest_image
+  # aws.ecr_repositories_scan_vulnerabilities_in_latest_image
   # CRITICAL
   # HIGH
   # MEDIUM
   ecr_repository_vulnerability_minimum_severity: "MEDIUM"
 
   # AWS Trusted Advisor
-  # trustedadvisor_premium_support_plan_subscribed
+  # aws.trustedadvisor_premium_support_plan_subscribed
   verify_premium_support_plans: True
 
   # AWS CloudTrail Configuration
   # aws.cloudtrail_threat_detection_privilege_escalation
-  threat_detection_privilege_escalation_entropy: 0.7 # Percentage of actions found to decide if it is an privilege_escalation attack event, by default is 0.7 (70%)
+  threat_detection_privilege_escalation_threshold: 0.1 # Percentage of actions found to decide if it is an privilege_escalation attack event, by default is 0.1 (10%)
   threat_detection_privilege_escalation_minutes: 1440 # Past minutes to search from now for privilege_escalation attacks, by default is 1440 minutes (24 hours)
-  threat_detection_privilege_escalation_actions: [
-    "AddPermission",
-    "AddRoleToInstanceProfile",
-    "AddUserToGroup",
-    "AssociateAccessPolicy",
-    "AssumeRole",
-    "AttachGroupPolicy",
-    "AttachRolePolicy",
-    "AttachUserPolicy",
-    "ChangePassword",
-    "CreateAccessEntry",
-    "CreateAccessKey",
-    "CreateDevEndpoint",
-    "CreateEventSourceMapping",
-    "CreateFunction",
-    "CreateGroup",
-    "CreateJob",
-    "CreateKeyPair",
-    "CreateLoginProfile",
-    "CreatePipeline",
-    "CreatePolicyVersion",
-    "CreateRole",
-    "CreateStack",
-    "DeleteRolePermissionsBoundary",
-    "DeleteRolePolicy",
-    "DeleteUserPermissionsBoundary",
-    "DeleteUserPolicy",
-    "DetachRolePolicy",
-    "DetachUserPolicy",
-    "GetCredentialsForIdentity",
-    "GetId",
-    "GetPolicyVersion",
-    "GetUserPolicy",
-    "Invoke",
-    "ModifyInstanceAttribute",
-    "PassRole",
-    "PutGroupPolicy",
-    "PutPipelineDefinition",
-    "PutRolePermissionsBoundary",
-    "PutRolePolicy",
-    "PutUserPermissionsBoundary",
-    "PutUserPolicy",
-    "ReplaceIamInstanceProfileAssociation",
-    "RunInstances",
-    "SetDefaultPolicyVersion",
-    "UpdateAccessKey",
-    "UpdateAssumeRolePolicy",
-    "UpdateDevEndpoint",
-    "UpdateEventSourceMapping",
-    "UpdateFunctionCode",
-    "UpdateJob",
-    "UpdateLoginProfile",
-  ]
+  threat_detection_privilege_escalation_actions:
+    [
+      "AddPermission",
+      "AddRoleToInstanceProfile",
+      "AddUserToGroup",
+      "AssociateAccessPolicy",
+      "AssumeRole",
+      "AttachGroupPolicy",
+      "AttachRolePolicy",
+      "AttachUserPolicy",
+      "ChangePassword",
+      "CreateAccessEntry",
+      "CreateAccessKey",
+      "CreateDevEndpoint",
+      "CreateEventSourceMapping",
+      "CreateFunction",
+      "CreateGroup",
+      "CreateJob",
+      "CreateKeyPair",
+      "CreateLoginProfile",
+      "CreatePipeline",
+      "CreatePolicyVersion",
+      "CreateRole",
+      "CreateStack",
+      "DeleteRolePermissionsBoundary",
+      "DeleteRolePolicy",
+      "DeleteUserPermissionsBoundary",
+      "DeleteUserPolicy",
+      "DetachRolePolicy",
+      "DetachUserPolicy",
+      "GetCredentialsForIdentity",
+      "GetId",
+      "GetPolicyVersion",
+      "GetUserPolicy",
+      "Invoke",
+      "ModifyInstanceAttribute",
+      "PassRole",
+      "PutGroupPolicy",
+      "PutPipelineDefinition",
+      "PutRolePermissionsBoundary",
+      "PutRolePolicy",
+      "PutUserPermissionsBoundary",
+      "PutUserPolicy",
+      "ReplaceIamInstanceProfileAssociation",
+      "RunInstances",
+      "SetDefaultPolicyVersion",
+      "UpdateAccessKey",
+      "UpdateAssumeRolePolicy",
+      "UpdateDevEndpoint",
+      "UpdateEventSourceMapping",
+      "UpdateFunctionCode",
+      "UpdateJob",
+      "UpdateLoginProfile",
+    ]
   # aws.cloudtrail_threat_detection_enumeration
-  threat_detection_enumeration_entropy: 0.7 # Percentage of actions found to decide if it is an enumeration attack event, by default is 0.7 (70%)
+  threat_detection_enumeration_threshold: 0.1 # Percentage of actions found to decide if it is an enumeration attack event, by default is 0.1 (10%)
   threat_detection_enumeration_minutes: 1440 # Past minutes to search from now for enumeration attacks, by default is 1440 minutes (24 hours)
-  threat_detection_enumeration_actions: [
-    "DescribeAccessEntry",
-    "DescribeAccountAttributes",
-    "DescribeAvailabilityZones",
-    "DescribeBundleTasks",
-    "DescribeCarrierGateways",
-    "DescribeClientVpnRoutes",
-    "DescribeCluster",
-    "DescribeDhcpOptions",
-    "DescribeFlowLogs",
-    "DescribeImages",
-    "DescribeInstanceAttribute",
-    "DescribeInstanceInformation",
-    "DescribeInstanceTypes",
-    "DescribeInstances",
-    "DescribeInstances",
-    "DescribeKeyPairs",
-    "DescribeLogGroups",
-    "DescribeLogStreams",
-    "DescribeOrganization",
-    "DescribeRegions",
-    "DescribeSecurityGroups",
-    "DescribeSnapshotAttribute",
-    "DescribeSnapshotTierStatus",
-    "DescribeSubscriptionFilters",
-    "DescribeTransitGatewayMulticastDomains",
-    "DescribeVolumes",
-    "DescribeVolumesModifications",
-    "DescribeVpcEndpointConnectionNotifications",
-    "DescribeVpcs",
-    "GetAccount",
-    "GetAccountAuthorizationDetails",
-    "GetAccountSendingEnabled",
-    "GetBucketAcl",
-    "GetBucketLogging",
-    "GetBucketPolicy",
-    "GetBucketReplication",
-    "GetBucketVersioning",
-    "GetCallerIdentity",
-    "GetCertificate",
-    "GetConsoleScreenshot",
-    "GetCostAndUsage",
-    "GetDetector",
-    "GetEbsDefaultKmsKeyId",
-    "GetEbsEncryptionByDefault",
-    "GetFindings",
-    "GetFlowLogsIntegrationTemplate",
-    "GetIdentityVerificationAttributes",
-    "GetInstances",
-    "GetIntrospectionSchema",
-    "GetLaunchTemplateData",
-    "GetLaunchTemplateData",
-    "GetLogRecord",
-    "GetParameters",
-    "GetPolicyVersion",
-    "GetPublicAccessBlock",
-    "GetQueryResults",
-    "GetRegions",
-    "GetSMSAttributes",
-    "GetSMSSandboxAccountStatus",
-    "GetSendQuota",
-    "GetTransitGatewayRouteTableAssociations",
-    "GetUserPolicy",
-    "HeadObject",
-    "ListAccessKeys",
-    "ListAccounts",
-    "ListAllMyBuckets",
-    "ListAssociatedAccessPolicies",
-    "ListAttachedUserPolicies",
-    "ListClusters",
-    "ListDetectors",
-    "ListDomains",
-    "ListFindings",
-    "ListHostedZones",
-    "ListIPSets",
-    "ListIdentities",
-    "ListInstanceProfiles",
-    "ListObjects",
-    "ListOrganizationalUnitsForParent",
-    "ListOriginationNumbers",
-    "ListPolicyVersions",
-    "ListRoles",
-    "ListRoles",
-    "ListRules",
-    "ListServiceQuotas",
-    "ListSubscriptions",
-    "ListTargetsByRule",
-    "ListTopics",
-    "ListUsers",
-    "LookupEvents",
-    "Search",
-  ]
+  threat_detection_enumeration_actions:
+    [
+      "DescribeAccessEntry",
+      "DescribeAccountAttributes",
+      "DescribeAvailabilityZones",
+      "DescribeBundleTasks",
+      "DescribeCarrierGateways",
+      "DescribeClientVpnRoutes",
+      "DescribeCluster",
+      "DescribeDhcpOptions",
+      "DescribeFlowLogs",
+      "DescribeImages",
+      "DescribeInstanceAttribute",
+      "DescribeInstanceInformation",
+      "DescribeInstanceTypes",
+      "DescribeInstances",
+      "DescribeInstances",
+      "DescribeKeyPairs",
+      "DescribeLogGroups",
+      "DescribeLogStreams",
+      "DescribeOrganization",
+      "DescribeRegions",
+      "DescribeSecurityGroups",
+      "DescribeSnapshotAttribute",
+      "DescribeSnapshotTierStatus",
+      "DescribeSubscriptionFilters",
+      "DescribeTransitGatewayMulticastDomains",
+      "DescribeVolumes",
+      "DescribeVolumesModifications",
+      "DescribeVpcEndpointConnectionNotifications",
+      "DescribeVpcs",
+      "GetAccount",
+      "GetAccountAuthorizationDetails",
+      "GetAccountSendingEnabled",
+      "GetBucketAcl",
+      "GetBucketLogging",
+      "GetBucketPolicy",
+      "GetBucketReplication",
+      "GetBucketVersioning",
+      "GetCallerIdentity",
+      "GetCertificate",
+      "GetConsoleScreenshot",
+      "GetCostAndUsage",
+      "GetDetector",
+      "GetEbsDefaultKmsKeyId",
+      "GetEbsEncryptionByDefault",
+      "GetFindings",
+      "GetFlowLogsIntegrationTemplate",
+      "GetIdentityVerificationAttributes",
+      "GetInstances",
+      "GetIntrospectionSchema",
+      "GetLaunchTemplateData",
+      "GetLaunchTemplateData",
+      "GetLogRecord",
+      "GetParameters",
+      "GetPolicyVersion",
+      "GetPublicAccessBlock",
+      "GetQueryResults",
+      "GetRegions",
+      "GetSMSAttributes",
+      "GetSMSSandboxAccountStatus",
+      "GetSendQuota",
+      "GetTransitGatewayRouteTableAssociations",
+      "GetUserPolicy",
+      "HeadObject",
+      "ListAccessKeys",
+      "ListAccounts",
+      "ListAllMyBuckets",
+      "ListAssociatedAccessPolicies",
+      "ListAttachedUserPolicies",
+      "ListClusters",
+      "ListDetectors",
+      "ListDomains",
+      "ListFindings",
+      "ListHostedZones",
+      "ListIPSets",
+      "ListIdentities",
+      "ListInstanceProfiles",
+      "ListObjects",
+      "ListOrganizationalUnitsForParent",
+      "ListOriginationNumbers",
+      "ListPolicyVersions",
+      "ListRoles",
+      "ListRoles",
+      "ListRules",
+      "ListServiceQuotas",
+      "ListSubscriptions",
+      "ListTargetsByRule",
+      "ListTopics",
+      "ListUsers",
+      "LookupEvents",
+      "Search",
+    ]
 
+  # AWS RDS Configuration
   # aws.rds_instance_backup_enabled
   # Whether to check RDS instance replicas or not
   check_rds_instance_replicas: False
 
+  # AWS ACM Configuration
+  # aws.acm_certificates_expiration_check
+  days_to_expire_threshold: 7
+
 # Azure Configuration
 azure:
   # Azure Network Configuration
   # azure.network_public_ip_shodan
+  # TODO: create common config
   shodan_api_key: null
 
-  # Azure App Configuration
+  # Azure App Service
   # azure.app_ensure_php_version_is_latest
   php_latest_version: "8.2"
   # azure.app_ensure_python_version_is_latest
@@ -345,4 +376,34 @@ gcp:
   # gcp.compute_public_address_shodan
   shodan_api_key: null
 
+# Kubernetes Configuration
+kubernetes:
+  # Kubernetes API Server
+  # kubernetes.apiserver_audit_log_maxbackup_set
+  audit_log_maxbackup: 10
+  # kubernetes.apiserver_audit_log_maxsize_set
+  audit_log_maxsize: 100
+  # kubernetes.apiserver_audit_log_maxage_set
+  audit_log_maxage: 30
+  # kubernetes.apiserver_strong_ciphers_only
+  apiserver_strong_ciphers:
+    [
+      "TLS_AES_128_GCM_SHA256",
+      "TLS_AES_256_GCM_SHA384",
+      "TLS_CHACHA20_POLY1305_SHA256",
+    ]
+  # Kubelet
+  # kubernetes.kubelet_strong_ciphers_only
+  kubelet_strong_ciphers:
+    [
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+      "TLS_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_RSA_WITH_AES_128_GCM_SHA256",
+    ]
+
 ```

docs/tutorials/scan-unused-services.md

@@ -11,6 +11,12 @@ prowler <provider> --scan-unused-services
 
 ## Services that are ignored
 ### AWS
+#### ACM
+You can have certificates in ACM that is not in use by any AWS resource.
+Prowler will check if every certificate is going to expire soon, if this certificate is not in use by default it is not going to be check if it is expired, is going to expire soon or it is good.
+
+- `acm_certificates_expiration_check`
+
 #### Athena
 When you create an AWS Account, Athena will create a default primary workgroup for you.
 Prowler will check if that workgroup is enabled and if it is being used by checking if there were queries in the last 45 days.

prowler/__main__.py

@@ -180,7 +180,8 @@ def prowler():
 
     # Import custom checks from folder
     if checks_folder:
-        parse_checks_from_folder(global_provider, checks_folder)
+        custom_checks = parse_checks_from_folder(global_provider, checks_folder)
+        checks_to_execute.update(custom_checks)
 
     # Exclude checks if -e/--excluded-checks
     if excluded_checks:

prowler/config/config.py

@@ -1,6 +1,5 @@
 import os
 import pathlib
-import sys
 from datetime import datetime, timezone
 from os import getcwd
 
@@ -11,7 +10,7 @@ from prowler.lib.logger import logger
 
 timestamp = datetime.today()
 timestamp_utc = datetime.now(timezone.utc).replace(tzinfo=timezone.utc)
-prowler_version = "4.2.2"
+prowler_version = "4.2.3"
 html_logo_url = "https://github.com/prowler-cloud/prowler/"
 square_logo_img = "https://prowler.com/wp-content/uploads/logo-html.png"
 aws_logo = "https://user-images.githubusercontent.com/38561120/235953920-3e3fba08-0795-41dc-b480-9bea57db9f2e.png"
@@ -99,52 +98,87 @@ def check_current_version():
 
 def load_and_validate_config_file(provider: str, config_file_path: str) -> dict:
     """
-    load_and_validate_config_file reads the Prowler config file in YAML format from the default location or the file passed with the --config-file flag
+    Reads the Prowler config file in YAML format from the default location or the file passed with the --config-file flag.
+
+    Args:
+        provider (str): The provider name (e.g., 'aws', 'gcp', 'azure', 'kubernetes').
+        config_file_path (str): The path to the configuration file.
+
+    Returns:
+        dict: The configuration dictionary for the specified provider.
     """
     try:
-        with open(config_file_path) as f:
-            config = {}
+        with open(config_file_path, "r", encoding="utf-8") as f:
             config_file = yaml.safe_load(f)
 
-            # Not to introduce a breaking change we have to allow the old format config file without any provider keys
-            # and a new format with a key for each provider to include their configuration values within
-            # Check if the new format is passed
-            if (
-                "aws" in config_file
-                or "gcp" in config_file
-                or "azure" in config_file
-                or "kubernetes" in config_file
-            ):
+            # Not to introduce a breaking change, allow the old format config file without any provider keys
+            # and a new format with a key for each provider to include their configuration values within.
+            if any(key in config_file for key in ["aws", "gcp", "azure", "kubernetes"]):
                 config = config_file.get(provider, {})
             else:
                 config = config_file if config_file else {}
-                # Not to break Azure, K8s and GCP does not support neither use the old config format
+                # Not to break Azure, K8s and GCP does not support or use the old config format
                 if provider in ["azure", "gcp", "kubernetes"]:
                     config = {}
 
             return config
 
-    except Exception as error:
-        logger.critical(
+    except FileNotFoundError as error:
+        logger.error(
             f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
         )
-        sys.exit(1)
+    except yaml.YAMLError as error:
+        logger.error(
+            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+        )
+    except UnicodeDecodeError as error:
+        logger.error(
+            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+        )
+    except Exception as error:
+        logger.error(
+            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+        )
+
+    return {}
 
 
 def load_and_validate_fixer_config_file(
     provider: str, fixer_config_file_path: str
 ) -> dict:
     """
-    load_and_validate_fixer_config_file reads the Prowler fixer config file in YAML format from the default location or the file passed with the --fixer-config flag
+    Reads the Prowler fixer config file in YAML format from the default location or the file passed with the --fixer-config flag.
+
+    Args:
+        provider (str): The provider name (e.g., 'aws', 'gcp', 'azure', 'kubernetes').
+        fixer_config_file_path (str): The path to the fixer configuration file.
+
+    Returns:
+        dict: The fixer configuration dictionary for the specified provider.
+
+    Raises:
+        SystemExit: If there is an error reading or parsing the fixer configuration file.
     """
     try:
-        with open(fixer_config_file_path) as f:
+        with open(fixer_config_file_path, "r", encoding="utf-8") as f:
             fixer_config_file = yaml.safe_load(f)
-
             return fixer_config_file.get(provider, {})
 
-    except Exception as error:
-        logger.critical(
+    except FileNotFoundError as error:
+        logger.error(
             f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
         )
-        sys.exit(1)
+    except yaml.YAMLError as error:
+        logger.error(
+            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+        )
+    except UnicodeDecodeError as error:
+        logger.error(
+            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+        )
+    except Exception as error:
+        logger.error(
+            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+        )
+
+    return {}

prowler/config/config.yaml

@@ -262,10 +262,16 @@ aws:
       "LookupEvents",
       "Search",
     ]
+
+  # AWS RDS Configuration
   # aws.rds_instance_backup_enabled
   # Whether to check RDS instance replicas or not
   check_rds_instance_replicas: False
 
+  # AWS ACM Configuration
+  # aws.acm_certificates_expiration_check
+  days_to_expire_threshold: 7
+
 # Azure Configuration
 azure:
   # Azure Network Configuration

prowler/lib/check/check.py

@@ -126,9 +126,9 @@ def parse_checks_from_file(input_file: str, provider: str) -> set:
 
 
 # Load checks from custom folder
-def parse_checks_from_folder(provider, input_folder: str) -> int:
+def parse_checks_from_folder(provider, input_folder: str) -> set:
     try:
-        imported_checks = 0
+        custom_checks = set()
         # Check if input folder is a S3 URI
         if provider.type == "aws" and re.search(
             "^s3://([^/]+)/(.*?([^/]+))/$", input_folder
@@ -156,8 +156,8 @@ def parse_checks_from_folder(provider, input_folder: str) -> int:
                     if os.path.exists(prowler_module):
                         shutil.rmtree(prowler_module)
                     shutil.copytree(check_module, prowler_module)
-                    imported_checks += 1
-        return imported_checks
+                    custom_checks.add(check.name)
+        return custom_checks
     except Exception as error:
         logger.critical(
             f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"

prowler/lib/outputs/compliance/compliance.py

@@ -60,23 +60,28 @@ def get_check_compliance_frameworks_in_input(
 ):
     """get_check_compliance_frameworks_in_input returns a list of Compliance for the given check if the compliance framework is present in the input compliance to execute"""
     check_compliances = []
-    if bulk_checks_metadata and bulk_checks_metadata[check_id]:
-        for compliance in bulk_checks_metadata[check_id].Compliance:
-            compliance_name = ""
-            if compliance.Version:
-                compliance_name = (
-                    compliance.Framework.lower()
-                    + "_"
-                    + compliance.Version.lower()
-                    + "_"
-                    + compliance.Provider.lower()
-                )
-            else:
-                compliance_name = (
-                    compliance.Framework.lower() + "_" + compliance.Provider.lower()
-                )
-            if compliance_name.replace("-", "_") in input_compliance_frameworks:
-                check_compliances.append(compliance)
+    try:
+        if bulk_checks_metadata and bulk_checks_metadata.get(check_id):
+            for compliance in bulk_checks_metadata[check_id].Compliance:
+                compliance_name = ""
+                if compliance.Version:
+                    compliance_name = (
+                        compliance.Framework.lower()
+                        + "_"
+                        + compliance.Version.lower()
+                        + "_"
+                        + compliance.Provider.lower()
+                    )
+                else:
+                    compliance_name = (
+                        compliance.Framework.lower() + "_" + compliance.Provider.lower()
+                    )
+                if compliance_name.replace("-", "_") in input_compliance_frameworks:
+                    check_compliances.append(compliance)
+    except Exception as error:
+        logger.error(
+            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+        )
     return check_compliances
 
 

prowler/lib/outputs/html/html.py

@@ -135,18 +135,20 @@ def add_html_header(file_descriptor, provider):
 def fill_html(file_descriptor, finding):
     try:
         row_class = "p-3 mb-2 bg-success-custom"
-        finding.status = finding.status.split(".")[0]
+        finding_status = finding.status.split(".")[0]
+        # Change the status of the finding if it's muted
+        if finding.muted:
+            finding_status = f"MUTED ({finding_status})"
+            row_class = "table-warning"
         if finding.status == "MANUAL":
             row_class = "table-info"
         elif finding.status == "FAIL":
             row_class = "table-danger"
-        elif finding.status == "WARNING":
-            row_class = "table-warning"
 
         file_descriptor.write(
             f"""
                 <tr class="{row_class}">
-                    <td>{finding.status}</td>
+                    <td>{finding_status}</td>
                     <td>{finding.severity.split(".")[0]}</td>
                     <td>{finding.service_name}</td>
                     <td>{finding.region.lower()}</td>
@@ -171,33 +173,42 @@ def fill_html(file_descriptor, finding):
 def fill_html_overview_statistics(stats, output_filename, output_directory):
     try:
         filename = f"{output_directory}/{output_filename}{html_file_suffix}"
-        #  Read file
+
+        # Read file
         if path.isfile(filename):
-            with open(filename, "r") as file:
+            with open(filename, "r", encoding="utf-8") as file:
                 filedata = file.read()
 
             # Replace statistics
             # TOTAL_FINDINGS
             filedata = filedata.replace(
-                "TOTAL_FINDINGS", str(stats.get("findings_count"))
+                "TOTAL_FINDINGS", str(stats.get("findings_count", 0))
             )
             # TOTAL_RESOURCES
             filedata = filedata.replace(
-                "TOTAL_RESOURCES", str(stats.get("resources_count"))
+                "TOTAL_RESOURCES", str(stats.get("resources_count", 0))
             )
             # TOTAL_PASS
-            filedata = filedata.replace("TOTAL_PASS", str(stats.get("total_pass")))
+            filedata = filedata.replace("TOTAL_PASS", str(stats.get("total_pass", 0)))
             # TOTAL_FAIL
-            filedata = filedata.replace("TOTAL_FAIL", str(stats.get("total_fail")))
+            filedata = filedata.replace("TOTAL_FAIL", str(stats.get("total_fail", 0)))
+
             # Write file
-            with open(filename, "w") as file:
+            with open(filename, "w", encoding="utf-8") as file:
                 file.write(filedata)
 
-    except Exception as error:
-        logger.critical(
+    except FileNotFoundError as error:
+        logger.error(
+            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+        )
+    except UnicodeDecodeError as error:
+        logger.error(
+            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+        )
+    except Exception as error:
+        logger.error(
             f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
         )
-        sys.exit(1)
 
 
 def add_html_footer(output_filename, output_directory):

prowler/providers/aws/aws_regions_by_service.json

@@ -1256,9 +1256,12 @@
           "ap-south-1",
           "ap-southeast-1",
           "ap-southeast-2",
+          "ca-central-1",
           "eu-central-1",
           "eu-west-1",
+          "eu-west-2",
           "eu-west-3",
+          "sa-east-1",
           "us-east-1",
           "us-west-2"
         ],

prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py

@@ -1,33 +1,36 @@
 from prowler.lib.check.models import Check, Check_Report_AWS
 from prowler.providers.aws.services.acm.acm_client import acm_client
 
-DAYS_TO_EXPIRE_THRESHOLD = 7
-
 
 class acm_certificates_expiration_check(Check):
     def execute(self):
         findings = []
         for certificate in acm_client.certificates:
-            report = Check_Report_AWS(self.metadata())
-            report.region = certificate.region
-            if certificate.expiration_days > DAYS_TO_EXPIRE_THRESHOLD:
-                report.status = "PASS"
-                report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} expires in {certificate.expiration_days} days."
-                report.resource_id = certificate.id
-                report.resource_details = certificate.name
-                report.resource_arn = certificate.arn
-                report.resource_tags = certificate.tags
-            else:
-                report.status = "FAIL"
-                if certificate.expiration_days < 0:
-                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has expired ({abs(certificate.expiration_days)} days ago)."
+            if certificate.in_use or acm_client.provider.scan_unused_services:
+                report = Check_Report_AWS(self.metadata())
+                report.region = certificate.region
+                if certificate.expiration_days > acm_client.audit_config.get(
+                    "days_to_expire_threshold", 7
+                ):
+                    report.status = "PASS"
+                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} expires in {certificate.expiration_days} days."
+                    report.resource_id = certificate.id
+                    report.resource_details = certificate.name
+                    report.resource_arn = certificate.arn
+                    report.resource_tags = certificate.tags
                 else:
-                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is about to expire in {certificate.expiration_days} days."
+                    report.status = "FAIL"
+                    if certificate.expiration_days < 0:
+                        report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has expired ({abs(certificate.expiration_days)} days ago)."
+                        report.check_metadata.Severity = "high"
+                    else:
+                        report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is about to expire in {certificate.expiration_days} days."
+                        report.check_metadata.Severity = "medium"
 
-                report.resource_id = certificate.id
-                report.resource_details = certificate.name
-                report.resource_arn = certificate.arn
-                report.resource_tags = certificate.tags
+                    report.resource_id = certificate.id
+                    report.resource_details = certificate.name
+                    report.resource_arn = certificate.arn
+                    report.resource_tags = certificate.tags
 
-            findings.append(report)
+                findings.append(report)
         return findings

prowler/providers/aws/services/acm/acm_service.py

@@ -50,6 +50,7 @@ class ACM(AWSService):
                                 id=certificate["CertificateArn"].split("/")[-1],
                                 type=certificate["Type"],
                                 expiration_days=certificate_expiration_time,
+                                in_use=certificate.get("InUse", False),
                                 transparency_logging=False,
                                 region=regional_client.region,
                             )
@@ -99,5 +100,6 @@ class Certificate(BaseModel):
     type: str
     tags: Optional[list] = []
     expiration_days: int
+    in_use: bool
     transparency_logging: Optional[bool]
     region: str

pyproject.toml

@@ -23,7 +23,7 @@ packages = [
   {include = "dashboard"}
 ]
 readme = "README.md"
-version = "4.2.2"
+version = "4.2.3"
 
 [tool.poetry.dependencies]
 alive-progress = "3.1.5"

tests/config/config_test.py

@@ -1,3 +1,4 @@
+import logging
 import os
 import pathlib
 from unittest import mock
@@ -24,10 +25,12 @@ def mock_prowler_get_latest_release(_, **kwargs):
     return response
 
 
-config_aws = {
+old_config_aws = {
     "shodan_api_key": None,
     "max_security_group_rules": 50,
     "max_ec2_instance_age_in_days": 180,
+    "ec2_allowed_interface_types": ["api_gateway_managed", "vpc_endpoint"],
+    "ec2_allowed_instance_owners": ["amazon-elb"],
     "trusted_account_ids": [],
     "log_group_retention_days": 365,
     "max_idle_disconnect_timeout_in_seconds": 600,
@@ -59,14 +62,231 @@ config_aws = {
     "organizations_enabled_regions": [],
     "organizations_trusted_delegated_administrators": [],
     "check_rds_instance_replicas": False,
-    "ec2_allowed_interface_types": [
-        "api_gateway_managed",
-        "vpc_endpoint",
-    ],
+    "days_to_expire_threshold": 7,
+}
+config_aws = {
+    "mute_non_default_regions": False,
+    "max_unused_access_keys_days": 45,
+    "max_console_access_days": 45,
+    "shodan_api_key": None,
+    "max_security_group_rules": 50,
+    "max_ec2_instance_age_in_days": 180,
+    "ec2_allowed_interface_types": ["api_gateway_managed", "vpc_endpoint"],
     "ec2_allowed_instance_owners": ["amazon-elb"],
+    "trusted_account_ids": [],
+    "log_group_retention_days": 365,
+    "max_idle_disconnect_timeout_in_seconds": 600,
+    "max_disconnect_timeout_in_seconds": 300,
+    "max_session_duration_seconds": 36000,
+    "obsolete_lambda_runtimes": [
+        "java8",
+        "go1.x",
+        "provided",
+        "python3.6",
+        "python2.7",
+        "python3.7",
+        "nodejs4.3",
+        "nodejs4.3-edge",
+        "nodejs6.10",
+        "nodejs",
+        "nodejs8.10",
+        "nodejs10.x",
+        "nodejs12.x",
+        "nodejs14.x",
+        "dotnet5.0",
+        "dotnetcore1.0",
+        "dotnetcore2.0",
+        "dotnetcore2.1",
+        "dotnetcore3.1",
+        "ruby2.5",
+        "ruby2.7",
+    ],
+    "organizations_enabled_regions": [],
+    "organizations_trusted_delegated_administrators": [],
+    "ecr_repository_vulnerability_minimum_severity": "MEDIUM",
+    "verify_premium_support_plans": True,
+    "threat_detection_privilege_escalation_threshold": 0.1,
+    "threat_detection_privilege_escalation_minutes": 1440,
+    "threat_detection_privilege_escalation_actions": [
+        "AddPermission",
+        "AddRoleToInstanceProfile",
+        "AddUserToGroup",
+        "AssociateAccessPolicy",
+        "AssumeRole",
+        "AttachGroupPolicy",
+        "AttachRolePolicy",
+        "AttachUserPolicy",
+        "ChangePassword",
+        "CreateAccessEntry",
+        "CreateAccessKey",
+        "CreateDevEndpoint",
+        "CreateEventSourceMapping",
+        "CreateFunction",
+        "CreateGroup",
+        "CreateJob",
+        "CreateKeyPair",
+        "CreateLoginProfile",
+        "CreatePipeline",
+        "CreatePolicyVersion",
+        "CreateRole",
+        "CreateStack",
+        "DeleteRolePermissionsBoundary",
+        "DeleteRolePolicy",
+        "DeleteUserPermissionsBoundary",
+        "DeleteUserPolicy",
+        "DetachRolePolicy",
+        "DetachUserPolicy",
+        "GetCredentialsForIdentity",
+        "GetId",
+        "GetPolicyVersion",
+        "GetUserPolicy",
+        "Invoke",
+        "ModifyInstanceAttribute",
+        "PassRole",
+        "PutGroupPolicy",
+        "PutPipelineDefinition",
+        "PutRolePermissionsBoundary",
+        "PutRolePolicy",
+        "PutUserPermissionsBoundary",
+        "PutUserPolicy",
+        "ReplaceIamInstanceProfileAssociation",
+        "RunInstances",
+        "SetDefaultPolicyVersion",
+        "UpdateAccessKey",
+        "UpdateAssumeRolePolicy",
+        "UpdateDevEndpoint",
+        "UpdateEventSourceMapping",
+        "UpdateFunctionCode",
+        "UpdateJob",
+        "UpdateLoginProfile",
+    ],
+    "threat_detection_enumeration_threshold": 0.1,
+    "threat_detection_enumeration_minutes": 1440,
+    "threat_detection_enumeration_actions": [
+        "DescribeAccessEntry",
+        "DescribeAccountAttributes",
+        "DescribeAvailabilityZones",
+        "DescribeBundleTasks",
+        "DescribeCarrierGateways",
+        "DescribeClientVpnRoutes",
+        "DescribeCluster",
+        "DescribeDhcpOptions",
+        "DescribeFlowLogs",
+        "DescribeImages",
+        "DescribeInstanceAttribute",
+        "DescribeInstanceInformation",
+        "DescribeInstanceTypes",
+        "DescribeInstances",
+        "DescribeInstances",
+        "DescribeKeyPairs",
+        "DescribeLogGroups",
+        "DescribeLogStreams",
+        "DescribeOrganization",
+        "DescribeRegions",
+        "DescribeSecurityGroups",
+        "DescribeSnapshotAttribute",
+        "DescribeSnapshotTierStatus",
+        "DescribeSubscriptionFilters",
+        "DescribeTransitGatewayMulticastDomains",
+        "DescribeVolumes",
+        "DescribeVolumesModifications",
+        "DescribeVpcEndpointConnectionNotifications",
+        "DescribeVpcs",
+        "GetAccount",
+        "GetAccountAuthorizationDetails",
+        "GetAccountSendingEnabled",
+        "GetBucketAcl",
+        "GetBucketLogging",
+        "GetBucketPolicy",
+        "GetBucketReplication",
+        "GetBucketVersioning",
+        "GetCallerIdentity",
+        "GetCertificate",
+        "GetConsoleScreenshot",
+        "GetCostAndUsage",
+        "GetDetector",
+        "GetEbsDefaultKmsKeyId",
+        "GetEbsEncryptionByDefault",
+        "GetFindings",
+        "GetFlowLogsIntegrationTemplate",
+        "GetIdentityVerificationAttributes",
+        "GetInstances",
+        "GetIntrospectionSchema",
+        "GetLaunchTemplateData",
+        "GetLaunchTemplateData",
+        "GetLogRecord",
+        "GetParameters",
+        "GetPolicyVersion",
+        "GetPublicAccessBlock",
+        "GetQueryResults",
+        "GetRegions",
+        "GetSMSAttributes",
+        "GetSMSSandboxAccountStatus",
+        "GetSendQuota",
+        "GetTransitGatewayRouteTableAssociations",
+        "GetUserPolicy",
+        "HeadObject",
+        "ListAccessKeys",
+        "ListAccounts",
+        "ListAllMyBuckets",
+        "ListAssociatedAccessPolicies",
+        "ListAttachedUserPolicies",
+        "ListClusters",
+        "ListDetectors",
+        "ListDomains",
+        "ListFindings",
+        "ListHostedZones",
+        "ListIPSets",
+        "ListIdentities",
+        "ListInstanceProfiles",
+        "ListObjects",
+        "ListOrganizationalUnitsForParent",
+        "ListOriginationNumbers",
+        "ListPolicyVersions",
+        "ListRoles",
+        "ListRoles",
+        "ListRules",
+        "ListServiceQuotas",
+        "ListSubscriptions",
+        "ListTargetsByRule",
+        "ListTopics",
+        "ListUsers",
+        "LookupEvents",
+        "Search",
+    ],
+    "check_rds_instance_replicas": False,
+    "days_to_expire_threshold": 7,
 }
 
-config_azure = {"shodan_api_key": None}
+config_azure = {
+    "shodan_api_key": None,
+    "php_latest_version": "8.2",
+    "python_latest_version": "3.12",
+    "java_latest_version": "17",
+}
+
+config_gcp = {"shodan_api_key": None}
+
+config_kubernetes = {
+    "audit_log_maxbackup": 10,
+    "audit_log_maxsize": 100,
+    "audit_log_maxage": 30,
+    "apiserver_strong_ciphers": [
+        "TLS_AES_128_GCM_SHA256",
+        "TLS_AES_256_GCM_SHA384",
+        "TLS_CHACHA20_POLY1305_SHA256",
+    ],
+    "kubelet_strong_ciphers": [
+        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+        "TLS_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_RSA_WITH_AES_128_GCM_SHA256",
+    ],
+}
 
 
 class Test_Config:
@@ -131,7 +351,7 @@ class Test_Config:
         path = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))
         config_test_file = f"{path}/fixtures/config.yaml"
         provider = "aws"
-
+        print(load_and_validate_config_file(provider, config_test_file))
         assert load_and_validate_config_file(provider, config_test_file) == config_aws
 
     def test_load_and_validate_config_file_gcp(self):
@@ -139,14 +359,17 @@ class Test_Config:
         config_test_file = f"{path}/fixtures/config.yaml"
         provider = "gcp"
 
-        assert load_and_validate_config_file(provider, config_test_file) is None
+        assert load_and_validate_config_file(provider, config_test_file) == config_gcp
 
     def test_load_and_validate_config_file_kubernetes(self):
         path = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))
         config_test_file = f"{path}/fixtures/config.yaml"
         provider = "kubernetes"
-
-        assert load_and_validate_config_file(provider, config_test_file) is None
+        print(load_and_validate_config_file(provider, config_test_file))
+        assert (
+            load_and_validate_config_file(provider, config_test_file)
+            == config_kubernetes
+        )
 
     def test_load_and_validate_config_file_azure(self):
         path = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))
@@ -158,18 +381,22 @@ class Test_Config:
     def test_load_and_validate_config_file_old_format(self):
         path = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))
         config_test_file = f"{path}/fixtures/config_old.yaml"
-
-        assert load_and_validate_config_file("aws", config_test_file) == config_aws
+        print(load_and_validate_config_file("aws", config_test_file))
+        assert load_and_validate_config_file("aws", config_test_file) == old_config_aws
         assert load_and_validate_config_file("gcp", config_test_file) == {}
         assert load_and_validate_config_file("azure", config_test_file) == {}
         assert load_and_validate_config_file("kubernetes", config_test_file) == {}
 
-    def test_load_and_validate_config_file_invalid_config_file_path(self):
+    def test_load_and_validate_config_file_invalid_config_file_path(self, caplog):
         provider = "aws"
         config_file_path = "invalid/path/to/fixer_config.yaml"
 
-        with pytest.raises(SystemExit):
-            load_and_validate_config_file(provider, config_file_path)
+        with caplog.at_level(logging.ERROR):
+            result = load_and_validate_config_file(provider, config_file_path)
+            assert "FileNotFoundError" in caplog.text
+            assert result == {}
+
+        assert pytest is not None
 
     def test_load_and_validate_fixer_config_aws(self):
         path = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))
@@ -199,9 +426,13 @@ class Test_Config:
 
         assert load_and_validate_fixer_config_file(provider, config_test_file) == {}
 
-    def test_load_and_validate_fixer_config_invalid_fixer_config_path(self):
+    def test_load_and_validate_fixer_config_invalid_fixer_config_path(self, caplog):
         provider = "aws"
         fixer_config_path = "invalid/path/to/fixer_config.yaml"
 
-        with pytest.raises(SystemExit):
-            load_and_validate_fixer_config_file(provider, fixer_config_path)
+        with caplog.at_level(logging.ERROR):
+            result = load_and_validate_fixer_config_file(provider, fixer_config_path)
+            assert "FileNotFoundError" in caplog.text
+            assert result == {}
+
+        assert pytest is not None

tests/config/fixtures/config.yaml

@@ -1,9 +1,29 @@
-# TODO: UPDATE YAML
-
 # AWS Configuration
 aws:
+  # AWS Global Configuration
+  # aws.mute_non_default_regions --> Set to True to muted failed findings in non-default regions for AccessAnalyzer, GuardDuty, SecurityHub, DRS and Config
+  mute_non_default_regions: False
+  # If you want to mute failed findings only in specific regions, create a file with the following syntax and run it with `prowler aws -w mutelist.yaml`:
+  # Mutelist:
+  #  Accounts:
+  #   "*":
+  #     Checks:
+  #       "*":
+  #         Regions:
+  #           - "ap-southeast-1"
+  #           - "ap-southeast-2"
+  #         Resources:
+  #           - "*"
+
+  # AWS IAM Configuration
+  # aws.iam_user_accesskey_unused --> CIS recommends 45 days
+  max_unused_access_keys_days: 45
+  # aws.iam_user_console_access_unused --> CIS recommends 45 days
+  max_console_access_days: 45
+
   # AWS EC2 Configuration
   # aws.ec2_elastic_ip_shodan
+  # TODO: create common config
   shodan_api_key: null
   # aws.ec2_securitygroup_with_many_ingress_egress_rules --> by default is 50 rules
   max_security_group_rules: 50
@@ -13,16 +33,15 @@ aws:
   # allowed network interface types for security groups open to the Internet
   ec2_allowed_interface_types:
     [
-      "api_gateway_managed",
-      "vpc_endpoint",
+        "api_gateway_managed",
+        "vpc_endpoint",
     ]
   # allowed network interface owners for security groups open to the Internet
   ec2_allowed_instance_owners:
     [
-      "amazon-elb"
+        "amazon-elb"
     ]
 
-
   # AWS VPC Configuration (vpc_endpoint_connections_trust_boundaries, vpc_endpoint_services_allowed_principals_trust_boundaries)
   # Single account environment: No action required. The AWS account number will be automatically added by the checks.
   # Multi account environment: Any additional trusted account number should be added as a space separated list, e.g.
@@ -69,27 +88,237 @@ aws:
     ]
 
   # AWS Organizations
-  # organizations_scp_check_deny_regions
-  # organizations_enabled_regions: [
-  #   'eu-central-1',
-  #   'eu-west-1',
+  # aws.organizations_scp_check_deny_regions
+  # aws.organizations_enabled_regions: [
+  #   "eu-central-1",
+  #   "eu-west-1",
   #   "us-east-1"
   # ]
   organizations_enabled_regions: []
   organizations_trusted_delegated_administrators: []
 
+  # AWS ECR
+  # aws.ecr_repositories_scan_vulnerabilities_in_latest_image
+  # CRITICAL
+  # HIGH
+  # MEDIUM
+  ecr_repository_vulnerability_minimum_severity: "MEDIUM"
+
+  # AWS Trusted Advisor
+  # aws.trustedadvisor_premium_support_plan_subscribed
+  verify_premium_support_plans: True
+
+  # AWS CloudTrail Configuration
+  # aws.cloudtrail_threat_detection_privilege_escalation
+  threat_detection_privilege_escalation_threshold: 0.1 # Percentage of actions found to decide if it is an privilege_escalation attack event, by default is 0.1 (10%)
+  threat_detection_privilege_escalation_minutes: 1440 # Past minutes to search from now for privilege_escalation attacks, by default is 1440 minutes (24 hours)
+  threat_detection_privilege_escalation_actions:
+    [
+      "AddPermission",
+      "AddRoleToInstanceProfile",
+      "AddUserToGroup",
+      "AssociateAccessPolicy",
+      "AssumeRole",
+      "AttachGroupPolicy",
+      "AttachRolePolicy",
+      "AttachUserPolicy",
+      "ChangePassword",
+      "CreateAccessEntry",
+      "CreateAccessKey",
+      "CreateDevEndpoint",
+      "CreateEventSourceMapping",
+      "CreateFunction",
+      "CreateGroup",
+      "CreateJob",
+      "CreateKeyPair",
+      "CreateLoginProfile",
+      "CreatePipeline",
+      "CreatePolicyVersion",
+      "CreateRole",
+      "CreateStack",
+      "DeleteRolePermissionsBoundary",
+      "DeleteRolePolicy",
+      "DeleteUserPermissionsBoundary",
+      "DeleteUserPolicy",
+      "DetachRolePolicy",
+      "DetachUserPolicy",
+      "GetCredentialsForIdentity",
+      "GetId",
+      "GetPolicyVersion",
+      "GetUserPolicy",
+      "Invoke",
+      "ModifyInstanceAttribute",
+      "PassRole",
+      "PutGroupPolicy",
+      "PutPipelineDefinition",
+      "PutRolePermissionsBoundary",
+      "PutRolePolicy",
+      "PutUserPermissionsBoundary",
+      "PutUserPolicy",
+      "ReplaceIamInstanceProfileAssociation",
+      "RunInstances",
+      "SetDefaultPolicyVersion",
+      "UpdateAccessKey",
+      "UpdateAssumeRolePolicy",
+      "UpdateDevEndpoint",
+      "UpdateEventSourceMapping",
+      "UpdateFunctionCode",
+      "UpdateJob",
+      "UpdateLoginProfile",
+    ]
+  # aws.cloudtrail_threat_detection_enumeration
+  threat_detection_enumeration_threshold: 0.1 # Percentage of actions found to decide if it is an enumeration attack event, by default is 0.1 (10%)
+  threat_detection_enumeration_minutes: 1440 # Past minutes to search from now for enumeration attacks, by default is 1440 minutes (24 hours)
+  threat_detection_enumeration_actions:
+    [
+      "DescribeAccessEntry",
+      "DescribeAccountAttributes",
+      "DescribeAvailabilityZones",
+      "DescribeBundleTasks",
+      "DescribeCarrierGateways",
+      "DescribeClientVpnRoutes",
+      "DescribeCluster",
+      "DescribeDhcpOptions",
+      "DescribeFlowLogs",
+      "DescribeImages",
+      "DescribeInstanceAttribute",
+      "DescribeInstanceInformation",
+      "DescribeInstanceTypes",
+      "DescribeInstances",
+      "DescribeInstances",
+      "DescribeKeyPairs",
+      "DescribeLogGroups",
+      "DescribeLogStreams",
+      "DescribeOrganization",
+      "DescribeRegions",
+      "DescribeSecurityGroups",
+      "DescribeSnapshotAttribute",
+      "DescribeSnapshotTierStatus",
+      "DescribeSubscriptionFilters",
+      "DescribeTransitGatewayMulticastDomains",
+      "DescribeVolumes",
+      "DescribeVolumesModifications",
+      "DescribeVpcEndpointConnectionNotifications",
+      "DescribeVpcs",
+      "GetAccount",
+      "GetAccountAuthorizationDetails",
+      "GetAccountSendingEnabled",
+      "GetBucketAcl",
+      "GetBucketLogging",
+      "GetBucketPolicy",
+      "GetBucketReplication",
+      "GetBucketVersioning",
+      "GetCallerIdentity",
+      "GetCertificate",
+      "GetConsoleScreenshot",
+      "GetCostAndUsage",
+      "GetDetector",
+      "GetEbsDefaultKmsKeyId",
+      "GetEbsEncryptionByDefault",
+      "GetFindings",
+      "GetFlowLogsIntegrationTemplate",
+      "GetIdentityVerificationAttributes",
+      "GetInstances",
+      "GetIntrospectionSchema",
+      "GetLaunchTemplateData",
+      "GetLaunchTemplateData",
+      "GetLogRecord",
+      "GetParameters",
+      "GetPolicyVersion",
+      "GetPublicAccessBlock",
+      "GetQueryResults",
+      "GetRegions",
+      "GetSMSAttributes",
+      "GetSMSSandboxAccountStatus",
+      "GetSendQuota",
+      "GetTransitGatewayRouteTableAssociations",
+      "GetUserPolicy",
+      "HeadObject",
+      "ListAccessKeys",
+      "ListAccounts",
+      "ListAllMyBuckets",
+      "ListAssociatedAccessPolicies",
+      "ListAttachedUserPolicies",
+      "ListClusters",
+      "ListDetectors",
+      "ListDomains",
+      "ListFindings",
+      "ListHostedZones",
+      "ListIPSets",
+      "ListIdentities",
+      "ListInstanceProfiles",
+      "ListObjects",
+      "ListOrganizationalUnitsForParent",
+      "ListOriginationNumbers",
+      "ListPolicyVersions",
+      "ListRoles",
+      "ListRoles",
+      "ListRules",
+      "ListServiceQuotas",
+      "ListSubscriptions",
+      "ListTargetsByRule",
+      "ListTopics",
+      "ListUsers",
+      "LookupEvents",
+      "Search",
+    ]
+
+  # AWS RDS Configuration
   # aws.rds_instance_backup_enabled
   # Whether to check RDS instance replicas or not
   check_rds_instance_replicas: False
 
+  # AWS ACM Configuration
+  # aws.acm_certificates_expiration_check
+  days_to_expire_threshold: 7
+
 # Azure Configuration
 azure:
   # Azure Network Configuration
   # azure.network_public_ip_shodan
+  # TODO: create common config
   shodan_api_key: null
 
+  # Azure App Service
+  # azure.app_ensure_php_version_is_latest
+  php_latest_version: "8.2"
+  # azure.app_ensure_python_version_is_latest
+  python_latest_version: "3.12"
+  # azure.app_ensure_java_version_is_latest
+  java_latest_version: "17"
+
 # GCP Configuration
 gcp:
+  # GCP Compute Configuration
+  # gcp.compute_public_address_shodan
+  shodan_api_key: null
 
 # Kubernetes Configuration
 kubernetes:
+  # Kubernetes API Server
+  # kubernetes.apiserver_audit_log_maxbackup_set
+  audit_log_maxbackup: 10
+  # kubernetes.apiserver_audit_log_maxsize_set
+  audit_log_maxsize: 100
+  # kubernetes.apiserver_audit_log_maxage_set
+  audit_log_maxage: 30
+  # kubernetes.apiserver_strong_ciphers_only
+  apiserver_strong_ciphers:
+    [
+      "TLS_AES_128_GCM_SHA256",
+      "TLS_AES_256_GCM_SHA384",
+      "TLS_CHACHA20_POLY1305_SHA256",
+    ]
+  # Kubelet
+  # kubernetes.kubelet_strong_ciphers_only
+  kubelet_strong_ciphers:
+    [
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+      "TLS_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_RSA_WITH_AES_128_GCM_SHA256",
+    ]

tests/config/fixtures/config_old.yaml

@@ -76,3 +76,7 @@ organizations_trusted_delegated_administrators: []
 # aws.rds_instance_backup_enabled
 # Whether to check RDS instance replicas or not
 check_rds_instance_replicas: False
+
+# AWS ACM Configuration
+# aws.acm_certificates_expiration_check
+days_to_expire_threshold: 7

tests/lib/check/check_test.py

@@ -453,14 +453,14 @@ class TestCheck:
                     "path": test_checks_folder,
                     "provider": "aws",
                 },
-                "expected": 3,
+                "expected": {"check11", "check12", "check7777"},
             },
             {
                 "input": {
                     "path": "s3://test/checks_folder/",
                     "provider": "aws",
                 },
-                "expected": 3,
+                "expected": {"check11", "check12", "check7777"},
             },
         ]
 

tests/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check_test.py

@@ -33,6 +33,7 @@ class Test_acm_certificates_expiration_check:
         certificate_name = "test-certificate.com"
         certificate_type = "AMAZON_ISSUED"
         expiration_days = 5
+        in_use = True
 
         acm_client = mock.MagicMock
         acm_client.certificates = [
@@ -42,11 +43,14 @@ class Test_acm_certificates_expiration_check:
                 name=certificate_name,
                 type=certificate_type,
                 expiration_days=expiration_days,
+                in_use=in_use,
                 transparency_logging=True,
                 region=AWS_REGION,
             )
         ]
 
+        acm_client.audit_config = {"days_to_expire_threshold": 7}
+
         with mock.patch(
             "prowler.providers.aws.services.acm.acm_service.ACM",
             new=acm_client,
@@ -76,6 +80,7 @@ class Test_acm_certificates_expiration_check:
         certificate_name = "test-certificate.com"
         certificate_type = "AMAZON_ISSUED"
         expiration_days = -400
+        in_use = True
 
         acm_client = mock.MagicMock
         acm_client.certificates = [
@@ -85,16 +90,18 @@ class Test_acm_certificates_expiration_check:
                 name=certificate_name,
                 type=certificate_type,
                 expiration_days=expiration_days,
+                in_use=in_use,
                 transparency_logging=True,
                 region=AWS_REGION,
             )
         ]
 
+        acm_client.audit_config = {"days_to_expire_threshold": 7}
+
         with mock.patch(
             "prowler.providers.aws.services.acm.acm_service.ACM",
             new=acm_client,
         ):
-            # Test Check
             from prowler.providers.aws.services.acm.acm_certificates_expiration_check.acm_certificates_expiration_check import (
                 acm_certificates_expiration_check,
             )
@@ -119,6 +126,7 @@ class Test_acm_certificates_expiration_check:
         certificate_name = "test-certificate.com"
         certificate_type = "AMAZON_ISSUED"
         expiration_days = 365
+        in_use = True
 
         acm_client = mock.MagicMock
         acm_client.certificates = [
@@ -128,16 +136,18 @@ class Test_acm_certificates_expiration_check:
                 name=certificate_name,
                 type=certificate_type,
                 expiration_days=expiration_days,
+                in_use=in_use,
                 transparency_logging=True,
                 region=AWS_REGION,
             )
         ]
 
+        acm_client.audit_config = {"days_to_expire_threshold": 7}
+
         with mock.patch(
             "prowler.providers.aws.services.acm.acm_service.ACM",
             new=acm_client,
         ):
-            # Test Check
             from prowler.providers.aws.services.acm.acm_certificates_expiration_check.acm_certificates_expiration_check import (
                 acm_certificates_expiration_check,
             )
@@ -155,3 +165,90 @@ class Test_acm_certificates_expiration_check:
             assert result[0].resource_arn == certificate_arn
             assert result[0].region == AWS_REGION
             assert result[0].resource_tags == []
+
+    def test_acm_certificate_not_in_use(self):
+        certificate_id = str(uuid.uuid4())
+        certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}"
+        certificate_name = "test-certificate.com"
+        certificate_type = "AMAZON_ISSUED"
+        expiration_days = 365
+        in_use = False
+
+        acm_client = mock.MagicMock
+        acm_client.certificates = [
+            Certificate(
+                arn=certificate_arn,
+                id=certificate_id,
+                name=certificate_name,
+                type=certificate_type,
+                expiration_days=expiration_days,
+                in_use=in_use,
+                transparency_logging=True,
+                region=AWS_REGION,
+            )
+        ]
+
+        acm_client.audit_config = {"days_to_expire_threshold": 7}
+
+        acm_client.provider = mock.MagicMock(scan_unused_services=False)
+
+        with mock.patch(
+            "prowler.providers.aws.services.acm.acm_service.ACM",
+            new=acm_client,
+        ):
+            from prowler.providers.aws.services.acm.acm_certificates_expiration_check.acm_certificates_expiration_check import (
+                acm_certificates_expiration_check,
+            )
+
+            check = acm_certificates_expiration_check()
+            result = check.execute()
+
+            assert len(result) == 0
+
+    def test_acm_certificate_not_in_use_expired_scan_unused_services(self):
+        certificate_id = str(uuid.uuid4())
+        certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}"
+        certificate_name = "test-certificate.com"
+        certificate_type = "AMAZON_ISSUED"
+        expiration_days = -400
+        in_use = False
+
+        acm_client = mock.MagicMock
+        acm_client.certificates = [
+            Certificate(
+                arn=certificate_arn,
+                id=certificate_id,
+                name=certificate_name,
+                type=certificate_type,
+                expiration_days=expiration_days,
+                in_use=in_use,
+                transparency_logging=True,
+                region=AWS_REGION,
+            )
+        ]
+
+        acm_client.audit_config = {"days_to_expire_threshold": 7}
+
+        acm_client.provider = mock.MagicMock(scan_unused_services=True)
+
+        with mock.patch(
+            "prowler.providers.aws.services.acm.acm_service.ACM",
+            new=acm_client,
+        ):
+            from prowler.providers.aws.services.acm.acm_certificates_expiration_check.acm_certificates_expiration_check import (
+                acm_certificates_expiration_check,
+            )
+
+            check = acm_certificates_expiration_check()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"ACM Certificate {certificate_id} for {certificate_name} has expired ({abs(expiration_days)} days ago)."
+            )
+            assert result[0].resource_id == certificate_id
+            assert result[0].resource_arn == certificate_arn
+            assert result[0].region == AWS_REGION
+            assert result[0].resource_tags == []

tests/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled_test.py

@@ -41,6 +41,7 @@ class Test_acm_certificates_transparency_logs_enabled:
                 type=certificate_type,
                 expiration_days=365,
                 transparency_logging=True,
+                in_use=True,
                 region=AWS_REGION,
             )
         ]
@@ -83,6 +84,7 @@ class Test_acm_certificates_transparency_logs_enabled:
                 type=certificate_type,
                 expiration_days=365,
                 transparency_logging=False,
+                in_use=True,
                 region=AWS_REGION,
             )
         ]