fix(aws): handle AccessDenied when retrieving resource policy (#6908 )

Co-authored-by: Pedro Martín <pedromarting3@gmail.com> (cherry picked from commit d1053375b7) # Conflicts: # prowler/providers/aws/services/awslambda/awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.py # prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.py # prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.py # prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py # prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.py # prowler/providers/aws/services/eventbridge/eventbridge_bus_exposed/eventbridge_bus_exposed.py # prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.py # prowler/providers/aws/services/glue/glue_data_catalogs_not_publicly_accessible/glue_data_catalogs_not_publicly_accessible.py # prowler/providers/aws/services/s3/s3_bucket_cross_account_access/s3_bucket_cross_account_access.py # prowler/providers/aws/services/s3/s3_bucket_policy_public_write_access/s3_bucket_policy_public_write_access.py # prowler/providers/aws/services/secretsmanager/secretsmanager_not_publicly_accessible/secretsmanager_not_publicly_accessible.py # prowler/providers/aws/services/ses/ses_identity_not_publicly_accessible/ses_identity_not_publicly_accessible.py
fix(kms): Amazon KMS API call error handling (#6903 )
2026-06-10 21:42:29 +00:00 · 2025-02-12 20:31:49 +00:00 · 2025-02-12 11:08:29 -05:00 · 2025-02-11 11:25:35 -05:00 · 2025-02-11 10:25:18 -05:00 · 2025-02-10 19:29:43 -05:00
2003 changed files with 127873 additions and 19619 deletions
@@ -0,0 +1,14 @@
+{
+  "repoOwner": "prowler-cloud",
+  "repoName": "prowler",
+  "targetPRLabels": [
+    "backport"
+  ],
+  "sourcePRLabels": [
+    "was-backported"
+  ],
+  "copySourcePRLabels": false,
+  "copySourcePRReviewers": true,
+  "prTitle": "{{sourcePullRequest.title}}",
+  "commitConflicts": true
+}
@@ -1,4 +1,4 @@
-* @prowler-cloud/sdk @prowler-cloud/checks
+* @prowler-cloud/sdk @prowler-cloud/detection-and-remediation

 # To protect a repository fully against unauthorized changes, you also need to define an owner for the CODEOWNERS file itself.
 # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-and-branch-protection
@@ -5,6 +5,7 @@

 version: 2
 updates:
+  # v5
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
@@ -14,29 +15,69 @@ updates:
    labels:
      - "dependencies"
      - "pip"
+
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 10
    target-branch: master
+    labels:
+      - "dependencies"
+      - "github_actions"

-  - package-ecosystem: "pip"
+  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 10
+    target-branch: master
+    labels:
+      - "dependencies"
+      - "npm"
+
+  # v4.6
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    target-branch: v4.6
+    labels:
+      - "dependencies"
+      - "pip"
+      - "v4"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    target-branch: v4.6
+    labels:
+      - "dependencies"
+      - "github_actions"
+      - "v4"
+
+  # v3
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 10
    target-branch: v3
    labels:
      - "dependencies"
      - "pip"
      - "v3"
+
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
-      interval: "daily"
+      interval: "monthly"
    open-pull-requests-limit: 10
    target-branch: v3
    labels:
+      - "dependencies"
      - "github_actions"
      - "v3"
@@ -79,3 +79,10 @@ output/csv:
  - changed-files:
      - any-glob-to-any-file: "prowler/lib/outputs/csv/**"
      - any-glob-to-any-file: "tests/lib/outputs/csv/**"
+
+compliance:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/lib/outputs/compliance/**"
+      - any-glob-to-any-file: "tests/lib/outputs/compliance/**"
+      - any-glob-to-any-file: "prowler/compliance/**"
+
@@ -2,11 +2,19 @@

 Please include relevant motivation and context for this PR.

+If fixes an issue please add it with `Fix #XXXX`

 ### Description

 Please include a summary of the change and which issue is fixed. List any dependencies that are required for this change.

+### Checklist
+
+- Are there new checks included in this PR? Yes / No
+    - If so, do we need to update permissions for the provider? Please review this carefully.
+- [ ] Review if the code is being covered by tests.
+- [ ] Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
+- [ ] Review if backport is needed.

 ### License

@@ -0,0 +1,42 @@
+name: Automatic Backport
+
+on:
+  pull_request_target:
+    branches: ['master']
+    types: ['labeled', 'closed']
+
+jobs:
+  backport:
+    name: Backport PR
+    if: github.event.pull_request.merged == true && !(contains(github.event.pull_request.labels.*.name, 'backport'))
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      pull-requests: write
+      contents: write
+    steps:
+      # Workaround not to fail the workflow if the PR does not need a backport
+      # https://github.com/sorenlouv/backport-github-action/issues/127#issuecomment-2258561266
+      - name: Check for backport labels
+        id: check_labels
+        run: |-
+          labels='${{ toJSON(github.event.pull_request.labels.*.name) }}'
+          echo "$labels"
+          matched=$(echo "${labels}" | jq '. | map(select(startswith("backport-to-"))) | length')
+          echo "matched=$matched"
+          echo "matched=$matched" >> $GITHUB_OUTPUT
+
+      - name: Backport Action
+        if: fromJSON(steps.check_labels.outputs.matched) > 0
+        uses: sorenlouv/backport-github-action@v9.5.1
+        with:
+          github_token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          auto_backport_label_prefix: backport-to-
+
+      - name: Info log
+        if: ${{ success() && fromJSON(steps.check_labels.outputs.matched) > 0 }}
+        run: cat ~/.backport/backport.info.log
+
+      - name: Debug log
+        if: ${{ failure() && fromJSON(steps.check_labels.outputs.matched) > 0 }}
+        run: cat ~/.backport/backport.debug.log
@@ -16,9 +16,9 @@ jobs:
    name: Documentation Link
    runs-on: ubuntu-latest
    steps:
-      - name: Leave PR comment with the SaaS Documentation URI
+      - name: Leave PR comment with the Prowler Documentation URI
        uses: peter-evans/create-or-update-comment@v4
        with:
          issue-number: ${{ env.PR_NUMBER }}
          body: |
-            You can check the documentation for this PR here -> [SaaS Documentation](https://prowler-prowler-docs--${{ env.PR_NUMBER }}.com.readthedocs.build/projects/prowler-open-source/en/${{ env.PR_NUMBER }}/)
+            You can check the documentation for this PR here -> [Prowler Documentation](https://prowler-prowler-docs--${{ env.PR_NUMBER }}.com.readthedocs.build/projects/prowler-open-source/en/${{ env.PR_NUMBER }}/)
@@ -3,7 +3,11 @@ name: build-lint-push-containers
 on:
  push:
    branches:
+      # For `v3-latest`
      - "v3"
+      # For `v4-latest`
+      - "v4.6"
+      # For `latest`
      - "master"
    paths-ignore:
      - ".github/**"
@@ -43,7 +47,7 @@ jobs:
    runs-on: ubuntu-latest
    outputs:
      prowler_version_major: ${{ steps.get-prowler-version.outputs.PROWLER_VERSION_MAJOR }}
-      prowler_version: ${{ steps.update-prowler-version.outputs.PROWLER_VERSION }}
+      prowler_version: ${{ steps.get-prowler-version.outputs.PROWLER_VERSION }}
    env:
      POETRY_VIRTUALENVS_CREATE: "false"

@@ -58,13 +62,15 @@ jobs:

      - name: Install Poetry
        run: |
-          pipx install poetry
+          pipx install poetry==1.8.5
          pipx inject poetry poetry-bumpversion

      - name: Get Prowler version
        id: get-prowler-version
        run: |
          PROWLER_VERSION="$(poetry version -s 2>/dev/null)"
+          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_ENV}"
+          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"

          # Store prowler version major just for the release
          PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}"
@@ -78,8 +84,8 @@ jobs:
              ;;

          4)
-              echo "LATEST_TAG=latest" >> "${GITHUB_ENV}"
-              echo "STABLE_TAG=stable" >> "${GITHUB_ENV}"
+              echo "LATEST_TAG=v4-latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=v4-stable" >> "${GITHUB_ENV}"
              ;;

          *)
@@ -89,15 +95,6 @@ jobs:
              ;;
          esac

-      - name: Update Prowler version (release)
-        id: update-prowler-version
-        if: github.event_name == 'release'
-        run: |
-          PROWLER_VERSION="${{ github.event.release.tag_name }}"
-          poetry version "${PROWLER_VERSION}"
-          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_ENV}"
-          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
-          
      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
@@ -160,7 +157,7 @@ jobs:
        run: |
          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches \
            -H "Accept: application/vnd.github+json" \
-            -H "Authorization: Bearer ${{ secrets.ACCESS_TOKEN }}" \
+            -H "Authorization: Bearer ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            --data '{"event_type":"dispatch","client_payload":{"version":"v3-latest", "tag": "${{ env.LATEST_COMMIT_HASH }}"}}'

@@ -169,6 +166,6 @@ jobs:
        run: |
          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches \
            -H "Accept: application/vnd.github+json" \
-            -H "Authorization: Bearer ${{ secrets.ACCESS_TOKEN }}" \
+            -H "Authorization: Bearer ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            --data '{"event_type":"dispatch","client_payload":{"version":"release", "tag":"${{ needs.container-build-push.outputs.prowler_version }}"}}'
@@ -13,10 +13,10 @@ name: "CodeQL"

 on:
  push:
-    branches: [ "master", "v3" ]
+    branches: [ "master", "v3", "v4.*" ]
  pull_request:
    # The branches below must be a subset of the branches above
-    branches: [ "master", "v3" ]
+    branches: [ "master", "v3", "v4.*" ]
  schedule:
    - cron: '00 12 * * *'

@@ -11,7 +11,7 @@ jobs:
        with:
          fetch-depth: 0
      - name: TruffleHog OSS
-        uses: trufflesecurity/trufflehog@v3.80.1
+        uses: trufflesecurity/trufflehog@v3.88.6
        with:
          path: ./
          base: ${{ github.event.repository.default_branch }}
@@ -5,6 +5,7 @@ on:
      branches:
        - "master"
        - "v3"
+        - "v4.*"

 jobs:
  labeler:
@@ -5,10 +5,12 @@ on:
    branches:
      - "master"
      - "v3"
+      - "v4.*"
  pull_request:
    branches:
      - "master"
      - "v3"
+      - "v4.*"
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -20,7 +22,7 @@ jobs:
      - uses: actions/checkout@v4
      - name: Test if changes are in not ignored paths
        id: are-non-ignored-files-changed
-        uses: tj-actions/changed-files@v44
+        uses: tj-actions/changed-files@v45
        with:
          files: ./**
          files_ignore: |
@@ -29,11 +31,12 @@ jobs:
            docs/**
            permissions/**
            mkdocs.yml
+            .backportrc.json
      - name: Install poetry
        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
        run: |
          python -m pip install --upgrade pip
-          pipx install poetry
+          pipx install poetry==1.8.5
      - name: Set up Python ${{ matrix.python-version }}
        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
        uses: actions/setup-python@v5
@@ -88,6 +91,6 @@ jobs:
          poetry run pytest -n auto --cov=./prowler --cov-report=xml tests
      - name: Upload coverage reports to Codecov
        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
@@ -8,8 +8,6 @@ env:
  RELEASE_TAG: ${{ github.event.release.tag_name }}
  PYTHON_VERSION: 3.11
  CACHE: "poetry"
-  # TODO: create a bot user for this kind of tasks, like prowler-bot
-  GIT_COMMITTER_EMAIL: "sergio@prowler.com"

 jobs:
  release-prowler-job:
@@ -39,8 +37,7 @@ jobs:

      - name: Install dependencies
        run: |
-          pipx install poetry
-          pipx inject poetry poetry-bumpversion
+          pipx install poetry==1.8.5

      - name: Setup Python
        uses: actions/setup-python@v5
@@ -48,34 +45,6 @@ jobs:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: ${{ env.CACHE }}

-      - name: Update Poetry and config version
-        run: |
-          poetry version ${{ env.RELEASE_TAG }}
-
-      - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@v6
-        with:
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.GPG_PASSPHRASE }}
-          git_user_signingkey: true
-          git_commit_gpgsign: true
-
-      - name: Push updated version to the release tag
-        run: |
-          # Configure Git
-          git config user.name "github-actions"
-          git config user.email "${{ env.GIT_COMMITTER_EMAIL }}"
-
-          # Add the files with the version changed
-          git add prowler/config/config.py pyproject.toml
-          git commit -m "chore(release): ${{ env.RELEASE_TAG }}" --no-verify -S
-
-          # Replace the tag with the version updated
-          git tag -fa ${{ env.RELEASE_TAG }} -m "chore(release): ${{ env.RELEASE_TAG }}" --sign
-
-          # Push the tag
-          git push -f origin ${{ env.RELEASE_TAG }}
-
      - name: Build Prowler package
        run: |
          poetry build
@@ -50,13 +50,13 @@ jobs:

      # Create pull request
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
        with:
-          token: ${{ secrets.PROWLER_ACCESS_TOKEN }}
-          commit-message: "feat(regions_update): Update regions for AWS services."
+          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          commit-message: "feat(regions_update): Update regions for AWS services"
          branch: "aws-services-regions-updated-${{ github.sha }}"
-          labels: "status/waiting-for-revision, severity/low, provider/aws, backport-v3"
-          title: "chore(regions_update): Changes in regions for AWS services."
+          labels: "status/waiting-for-revision, severity/low, provider/aws, backport-to-v3"
+          title: "chore(regions_update): Changes in regions for AWS services"
          body: |
            ### Description

@@ -85,7 +85,7 @@ repos:
        # For running trufflehog in docker, use the following entry instead:
        # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
        language: system
-        stages: ["commit", "push"]
+        stages: ["pre-commit", "pre-push"]

      - id: bandit
        name: bandit
@@ -1,30 +1,29 @@
-FROM python:3.12-alpine
+FROM python:3.12.8-alpine3.20

 LABEL maintainer="https://github.com/prowler-cloud/prowler"

-# Update system dependencies
+# Update system dependencies and install essential tools
 #hadolint ignore=DL3018
-RUN apk --no-cache upgrade && apk --no-cache add curl
+RUN apk --no-cache upgrade && apk --no-cache add curl git

-# Create nonroot user
+# Create non-root user
 RUN mkdir -p /home/prowler && \
    echo 'prowler:x:1000:1000:prowler:/home/prowler:' > /etc/passwd && \
    echo 'prowler:x:1000:' > /etc/group && \
    chown -R prowler:prowler /home/prowler
 USER prowler

-# Copy necessary files
+# Copy necessary files
 WORKDIR /home/prowler
 COPY prowler/  /home/prowler/prowler/
 COPY dashboard/ /home/prowler/dashboard/
 COPY pyproject.toml /home/prowler
 COPY README.md /home/prowler

-# Install dependencies
+# Install Python dependencies
 ENV HOME='/home/prowler'
 ENV PATH="$HOME/.local/bin:$PATH"
-#hadolint ignore=DL3013
-RUN pip install --no-cache-dir --upgrade pip && \
+RUN pip install --no-cache-dir --upgrade pip setuptools wheel && \
    pip install --no-cache-dir .

 # Remove deprecated dash dependencies
@@ -10,13 +10,13 @@
 </p>

 <p align="center">
-<a href="https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog"><img width="30" height="30" alt="Prowler community on Slack" src="https://github.com/prowler-cloud/prowler/assets/38561120/3c8b4ec5-6849-41a5-b5e1-52bbb94af73a"></a>
+<a href="https://goto.prowler.com/slack"><img width="30" height="30" alt="Prowler community on Slack" src="https://github.com/prowler-cloud/prowler/assets/38561120/3c8b4ec5-6849-41a5-b5e1-52bbb94af73a"></a>
  <br>
-<a href="https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog">Join our Prowler community!</a>
+  <a href="https://goto.prowler.com/slack">Join our Prowler community!</a>
 </p>
 <hr>
 <p align="center">
-  <a href="https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog"><img alt="Slack Shield" src="https://img.shields.io/badge/slack-prowler-brightgreen.svg?logo=slack"></a>
+  <a href="https://goto.prowler.com/slack"><img alt="Slack Shield" src="https://img.shields.io/badge/slack-prowler-brightgreen.svg?logo=slack"></a>
  <a href="https://pypi.org/project/prowler/"><img alt="Python Version" src="https://img.shields.io/pypi/v/prowler.svg"></a>
  <a href="https://pypi.python.org/pypi/prowler/"><img alt="Python Version" src="https://img.shields.io/pypi/pyversions/prowler.svg"></a>
  <a href="https://pypistats.org/packages/prowler"><img alt="PyPI Prowler Downloads" src="https://img.shields.io/pypi/dw/prowler.svg?label=prowler%20downloads"></a>
@@ -63,9 +63,9 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe

 | Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) |
 |---|---|---|---|---|
-| AWS | 383 | 67 -> `prowler aws --list-services` | 28 -> `prowler aws --list-compliance` | 7 -> `prowler aws --list-categories` |
-| GCP | 77 | 13 -> `prowler gcp --list-services` | 1 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`|
-| Azure | 135 | 16 -> `prowler azure --list-services` | 2 -> `prowler azure --list-compliance` | 2 -> `prowler azure --list-categories` |
+| AWS | 553 | 77 -> `prowler aws --list-services` | 30 -> `prowler aws --list-compliance` | 9 -> `prowler aws --list-categories` |
+| GCP | 77 | 13 -> `prowler gcp --list-services` | 3 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`|
+| Azure | 138 | 17 -> `prowler azure --list-services` | 4 -> `prowler azure --list-compliance` | 2 -> `prowler azure --list-categories` |
 | Kubernetes | 83 | 7 -> `prowler kubernetes --list-services` | 1 -> `prowler kubernetes --list-compliance` | 7 -> `prowler kubernetes --list-categories` |

 # 💻 Installation
@@ -12,7 +12,11 @@ Originally based on [org-multi-account](https://github.com/prowler-cloud/prowler

 ## Architecture Explanation

- The solution is designed to be very simple. Prowler is run via an ECS Task definition that launches a single Fargate container. This Task Definition is executed on a schedule using an EventBridge Rule.
+The solution is designed to be very simple. Prowler is run via an ECS Task definition that launches a single Fargate container. This Task Definition is executed on a schedule using an EventBridge Rule.
+
+## Prerequisites
+
+This solution assumes that you have a VPC architecture with two redundant subnets that can reach the AWS API endpoints (e.g. PrivateLink, NAT Gateway, etc.).

 ## CloudFormation Templates

@@ -59,9 +63,9 @@ The logs that are generated and sent to Cloudwatch are error logs, and assessmen

 ## Instructions
 1. Create a Private ECR Repository in the account that will host the Prowler container. The Audit account is recommended, but any account can be used.
- 2.  Configure the .awsvariables file. Note the ROLE name chosen as it will be the CrossAccountRole.
- 3. Follow the steps from "View Push Commands" to build and upload the container image. You need to have Docker and AWS CLI installed, and use the cli to login to the account first.  After upload note the Image URI, as it is required for the CF-Prowler-ECS template.
- 4.  Make sure SecurityHub is enabled in every account in AWS Organizations, and that the SecurityHub integration is enabled as explained in [Prowler - Security Hub Integration](https://github.com/prowler-cloud/prowler#security-hub-integration)
+ 2. Configure the .awsvariables file. Note the ROLE name chosen as it will be the CrossAccountRole.
+ 3. Follow the steps from "View Push Commands" to build and upload the container image. Substitute step 2 with the build command provided in the Dockerfile. You need to have Docker and AWS CLI installed, and use the cli to login to the account first.  After upload note the Image URI, as it is required for the CF-Prowler-ECS template. Ensure that you pay attention to the architecture while performing the docker build command. A common mistake is not specifying the architecture and then building on Apple silicon. Your task will fail with  *exec /home/prowler/.local/bin/prowler: exec format error*. 
+ 4. Make sure SecurityHub is enabled in every account in AWS Organizations, and that the SecurityHub integration is enabled as explained in [Prowler - Security Hub Integration](https://github.com/prowler-cloud/prowler#security-hub-integration)
 5. Deploy **CF-Prowler-CrossAccountRole.yml** in the Master Account as a single stack. You will have to choose the CrossAccountRole name (ProwlerXA-Role by default) and the ProwlerTaskRoleName (ProwlerECSTask-Role by default)
 6. Deploy **CF-Prowler-CrossAccountRole.yml** in every Member Account as a StackSet. Choose the same CrossAccountName and ProwlerTaskRoleName as the previous step.
 7. Deploy **CF-Prowler-IAM.yml** in the account that will host the Prowler container (the same from step 1).  The following template parameters must be provided:
@@ -91,4 +95,4 @@ If you permission find errors in the CloudWatch logs, the culprit might be a [Se
 ## Upgrading Prowler

 Prowler version is controlled by the PROWLERVER argument in the Dockerfile, change it to the desired version and follow the ECR Push Commands to update the container image.
-Old images can be deleted from the ECR Repository after the new image is confirmed to work. They will show as "untagged" as only one image can hold the "latest" tag.
+Old images can be deleted from the ECR Repository after the new image is confirmed to work. They will show as "untagged" as only one image can hold the "latest" tag.
@@ -68,7 +68,7 @@ for accountId in ${ACCOUNTS_IN_ORGS}; do
        # Run Prowler
        echo -e "Assessing AWS Account: ${accountId}, using Role: ${ROLE} on $(date)"
        # Pipe stdout to /dev/null to reduce unnecessary Cloudwatch logs
-        prowler aws -R arn:"${PARTITION}":iam::"${accountId}":role/"${ROLE}" -q -S -f "${REGION}" > /dev/null
+        prowler aws -R arn:"${PARTITION}":iam::"${accountId}":role/"${ROLE}" --security-hub --send-sh-only-fails -f "${REGION}" > /dev/null
        TOTAL_SEC=$((SECONDS - START_TIME))
        printf "Completed AWS Account: ${accountId} in %02dh:%02dm:%02ds" $((TOTAL_SEC / 3600)) $((TOTAL_SEC % 3600 / 60)) $((TOTAL_SEC % 60))
        echo ""
@@ -60,24 +60,42 @@ Resources:
                Effect: Allow
                Resource: "*"
                Action:
-                  - ds:ListAuthorizedApplications
+                  - account:Get*
+                  - appstream:Describe*
+                  - appstream:List*
+                  - backup:List*
+                  - cloudtrail:GetInsightSelectors
+                  - codeartifact:List*
+                  - codebuild:BatchGet*
+                  - cognito-idp:GetUserPoolMfaConfig
+                  - dlm:Get*
+                  - drs:Describe*
+                  - ds:Describe*
+                  - ds:Get*
+                  - ds:List*
+                  - dynamodb:GetResourcePolicy
                  - ec2:GetEbsEncryptionByDefault
+                  - ec2:GetSnapshotBlockPublicAccessState
+                  - ec2:GetInstanceMetadataDefaults
                  - ecr:Describe*
+                  - ecr:GetRegistryScanningConfiguration
                  - elasticfilesystem:DescribeBackupPolicy
                  - glue:GetConnections
-                  - glue:GetSecurityConfiguration
+                  - glue:GetSecurityConfiguration*
                  - glue:SearchTables
-                  - lambda:GetFunction
+                  - lambda:GetFunction*
+                  - logs:FilterLogEvents
+                  - lightsail:GetRelationalDatabases
+                  - macie2:GetMacieSession
                  - s3:GetAccountPublicAccessBlock
                  - shield:DescribeProtection
                  - shield:GetSubscriptionState
                  - ssm:GetDocument
+                  - ssm-incidents:List*
                  - support:Describe*
                  - tag:GetTagKeys
-        - PolicyName: Prowler-Security-Hub
-          PolicyDocument:
-            Version: 2012-10-17
-            Statement:
+                  - wellarchitected:List*
+
              - Sid: AllowProwlerSecurityHub
                Effect: Allow
                Resource: "*"
@@ -62,7 +62,7 @@ Resources:
              awslogs-stream-prefix: ecs
      Cpu: 1024
      ExecutionRoleArn: !Ref ECSExecutionRole
-      Memory: 2048
+      Memory: 8192
      NetworkMode: awsvpc
      TaskRoleArn: !Ref ProwlerTaskRole
      Family: SecurityHubProwlerTask
@@ -97,9 +97,15 @@ Outputs:
  ECSExecutionRoleARN:
    Description: ARN of the ECS Task Execution Role
    Value: !GetAtt ECSExecutionRole.Arn
+    Export:
+      Name: ECSExecutionRoleArn
  ProwlerTaskRoleARN:
    Description: ARN of the ECS Prowler Task Role
    Value: !GetAtt ProwlerTaskRole.Arn
+    Export:
+      Name: ProwlerTaskRoleArn
  ECSEventRoleARN:
    Description: ARN of the Eventbridge Task Role
    Value: !GetAtt ECSEventRole.Arn
+    Export:
+      Name: ECSEventRoleARN
@@ -2223,3 +2223,232 @@ def get_section_containers_ens(data, section_1, section_2, section_3, section_4)
        section_containers.append(section_container)

    return html.Div(section_containers, className="compliance-data-layout")
+
+
+# This function extracts and compares up to two numeric values, ensuring correct sorting for version-like strings.
+def extract_numeric_values(value):
+    numbers = re.findall(r"\d+", str(value))
+    if len(numbers) >= 2:
+        return int(numbers[0]), int(numbers[1])
+    elif len(numbers) == 1:
+        return int(numbers[0]), 0
+    return 0, 0
+
+
+def get_section_containers_kisa_ismsp(data, section_1, section_2):
+    data["STATUS"] = data["STATUS"].apply(map_status_to_icon)
+    data[section_1] = data[section_1].astype(str)
+    data[section_2] = data[section_2].astype(str)
+    data.sort_values(
+        by=section_1,
+        key=lambda x: x.map(extract_numeric_values),
+        ascending=True,
+        inplace=True,
+    )
+
+    findings_counts_section = (
+        data.groupby([section_2, "STATUS"]).size().unstack(fill_value=0)
+    )
+    findings_counts_name = (
+        data.groupby([section_1, "STATUS"]).size().unstack(fill_value=0)
+    )
+
+    section_containers = []
+
+    for name in data[section_1].unique():
+        success_name = (
+            findings_counts_name.loc[name, pass_emoji]
+            if pass_emoji in findings_counts_name.columns
+            else 0
+        )
+        failed_name = (
+            findings_counts_name.loc[name, fail_emoji]
+            if fail_emoji in findings_counts_name.columns
+            else 0
+        )
+
+        fig_name = go.Figure(
+            data=[
+                go.Bar(
+                    name="Failed",
+                    x=[failed_name],
+                    y=[""],
+                    orientation="h",
+                    marker=dict(color="#e77676"),
+                    width=[0.8],
+                ),
+                go.Bar(
+                    name="Success",
+                    x=[success_name],
+                    y=[""],
+                    orientation="h",
+                    marker=dict(color="#45cc6e"),
+                    width=[0.8],
+                ),
+            ]
+        )
+
+        fig_name.update_layout(
+            barmode="stack",
+            margin=dict(l=10, r=10, t=10, b=10),
+            paper_bgcolor="rgba(0,0,0,0)",
+            plot_bgcolor="rgba(0,0,0,0)",
+            showlegend=False,
+            width=350,
+            height=30,
+            xaxis=dict(showticklabels=False, showgrid=False, zeroline=False),
+            yaxis=dict(showticklabels=False, showgrid=False, zeroline=False),
+            annotations=[
+                dict(
+                    x=success_name + failed_name,
+                    y=0,
+                    xref="x",
+                    yref="y",
+                    text=str(success_name),
+                    showarrow=False,
+                    font=dict(color="#45cc6e", size=14),
+                    xanchor="left",
+                    yanchor="middle",
+                ),
+                dict(
+                    x=0,
+                    y=0,
+                    xref="x",
+                    yref="y",
+                    text=str(failed_name),
+                    showarrow=False,
+                    font=dict(color="#e77676", size=14),
+                    xanchor="right",
+                    yanchor="middle",
+                ),
+            ],
+        )
+
+        graph_name = dcc.Graph(
+            figure=fig_name, config={"staticPlot": True}, className="info-bar"
+        )
+
+        graph_div = html.Div(graph_name, className="graph-section")
+
+        direct_internal_items = []
+
+        for section in data[data[section_1] == name][section_2].unique():
+            specific_data = data[
+                (data[section_1] == name) & (data[section_2] == section)
+            ]
+            success_section = (
+                findings_counts_section.loc[section, pass_emoji]
+                if pass_emoji in findings_counts_section.columns
+                else 0
+            )
+            failed_section = (
+                findings_counts_section.loc[section, fail_emoji]
+                if fail_emoji in findings_counts_section.columns
+                else 0
+            )
+
+            data_table = dash_table.DataTable(
+                data=specific_data.to_dict("records"),
+                columns=[
+                    {"name": i, "id": i}
+                    for i in ["CHECKID", "STATUS", "REGION", "ACCOUNTID", "RESOURCEID"]
+                ],
+                style_table={"overflowX": "auto"},
+                style_as_list_view=True,
+                style_cell={"textAlign": "left", "padding": "5px"},
+            )
+
+            fig_section = go.Figure(
+                data=[
+                    go.Bar(
+                        name="Failed",
+                        x=[failed_section],
+                        y=[""],
+                        orientation="h",
+                        marker=dict(color="#e77676"),
+                    ),
+                    go.Bar(
+                        name="Success",
+                        x=[success_section],
+                        y=[""],
+                        orientation="h",
+                        marker=dict(color="#45cc6e"),
+                    ),
+                ]
+            )
+
+            fig_section.update_layout(
+                barmode="stack",
+                margin=dict(l=10, r=10, t=10, b=10),
+                paper_bgcolor="rgba(0,0,0,0)",
+                plot_bgcolor="rgba(0,0,0,0)",
+                showlegend=False,
+                width=350,
+                height=30,
+                xaxis=dict(showticklabels=False, showgrid=False, zeroline=False),
+                yaxis=dict(showticklabels=False, showgrid=False, zeroline=False),
+                annotations=[
+                    dict(
+                        x=success_section + failed_section,
+                        y=0,
+                        xref="x",
+                        yref="y",
+                        text=str(success_section),
+                        showarrow=False,
+                        font=dict(color="#45cc6e", size=14),
+                        xanchor="left",
+                        yanchor="middle",
+                    ),
+                    dict(
+                        x=0,
+                        y=0,
+                        xref="x",
+                        yref="y",
+                        text=str(failed_section),
+                        showarrow=False,
+                        font=dict(color="#e77676", size=14),
+                        xanchor="right",
+                        yanchor="middle",
+                    ),
+                ],
+            )
+
+            graph_section = dcc.Graph(
+                figure=fig_section,
+                config={"staticPlot": True},
+                className="info-bar-child",
+            )
+
+            graph_div_section = html.Div(graph_section, className="graph-section-req")
+
+            internal_accordion_item = dbc.AccordionItem(
+                title=section,
+                children=[html.Div([data_table], className="inner-accordion-content")],
+            )
+
+            internal_section_container = html.Div(
+                [
+                    graph_div_section,
+                    dbc.Accordion(
+                        [internal_accordion_item], start_collapsed=True, flush=True
+                    ),
+                ],
+                className="accordion-inner--child",
+            )
+
+            direct_internal_items.append(internal_section_container)
+
+        accordion_item = dbc.AccordionItem(
+            title=f"{name}", children=direct_internal_items
+        )
+        section_container = html.Div(
+            [
+                graph_div,
+                dbc.Accordion([accordion_item], start_collapsed=True, flush=True),
+            ],
+            className="accordion-inner",
+        )
+
+        section_containers.append(section_container)
+
+    return html.Div(section_containers, className="compliance-data-layout")
@@ -0,0 +1,36 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_ens
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    # append the requirements_description to idgrupocontrol
+    data["REQUIREMENTS_ATTRIBUTES_IDGRUPOCONTROL"] = (
+        data["REQUIREMENTS_ATTRIBUTES_IDGRUPOCONTROL"]
+        + " - "
+        + data["REQUIREMENTS_DESCRIPTION"]
+    )
+
+    aux = data[
+        [
+            "REQUIREMENTS_ATTRIBUTES_MARCO",
+            "REQUIREMENTS_ATTRIBUTES_CATEGORIA",
+            "REQUIREMENTS_ATTRIBUTES_IDGRUPOCONTROL",
+            "REQUIREMENTS_ATTRIBUTES_TIPO",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ]
+
+    return get_section_containers_ens(
+        aux,
+        "REQUIREMENTS_ATTRIBUTES_MARCO",
+        "REQUIREMENTS_ATTRIBUTES_CATEGORIA",
+        "REQUIREMENTS_ATTRIBUTES_IDGRUPOCONTROL",
+        "REQUIREMENTS_ATTRIBUTES_TIPO",
+    )
@@ -0,0 +1,36 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_ens
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    # append the requirements_description to idgrupocontrol
+    data["REQUIREMENTS_ATTRIBUTES_IDGRUPOCONTROL"] = (
+        data["REQUIREMENTS_ATTRIBUTES_IDGRUPOCONTROL"]
+        + " - "
+        + data["REQUIREMENTS_DESCRIPTION"]
+    )
+
+    aux = data[
+        [
+            "REQUIREMENTS_ATTRIBUTES_MARCO",
+            "REQUIREMENTS_ATTRIBUTES_CATEGORIA",
+            "REQUIREMENTS_ATTRIBUTES_IDGRUPOCONTROL",
+            "REQUIREMENTS_ATTRIBUTES_TIPO",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ]
+
+    return get_section_containers_ens(
+        aux,
+        "REQUIREMENTS_ATTRIBUTES_MARCO",
+        "REQUIREMENTS_ATTRIBUTES_CATEGORIA",
+        "REQUIREMENTS_ATTRIBUTES_IDGRUPOCONTROL",
+        "REQUIREMENTS_ATTRIBUTES_TIPO",
+    )
@@ -0,0 +1,25 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_kisa_ismsp
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_ATTRIBUTES_SUBDOMAIN",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            # "REQUIREMENTS_DESCRIPTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_kisa_ismsp(
+        aux, "REQUIREMENTS_ATTRIBUTES_SUBDOMAIN", "REQUIREMENTS_ATTRIBUTES_SECTION"
+    )
@@ -0,0 +1,25 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_kisa_ismsp
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_ATTRIBUTES_SUBDOMAIN",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            # "REQUIREMENTS_DESCRIPTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_kisa_ismsp(
+        aux, "REQUIREMENTS_ATTRIBUTES_SUBDOMAIN", "REQUIREMENTS_ATTRIBUTES_SECTION"
+    )
@@ -148,6 +148,7 @@ else:
    select_account_dropdown_list = ["All"]
    # Append to the list the unique values of the columns ACCOUNTID, PROJECTID and SUBSCRIPTIONID if they exist
    if "ACCOUNTID" in data.columns:
+        data["ACCOUNTID"] = data["ACCOUNTID"].astype(str)
        select_account_dropdown_list = select_account_dropdown_list + list(
            data["ACCOUNTID"].unique()
        )
@@ -246,9 +247,11 @@ def display_data(
        dfs = []
        for file in files:
            df = pd.read_csv(
-                file, sep=";", on_bad_lines="skip", encoding=encoding_format
+                file, sep=";", on_bad_lines="skip", encoding=encoding_format, dtype=str
            )
-            dfs.append(df.astype(str))
+            df = df.astype(str).fillna("nan")
+            df.columns = df.columns.astype(str)
+            dfs.append(df)
        return pd.concat(dfs, ignore_index=True)

    data = load_csv_files(files)
@@ -274,17 +277,24 @@ def display_data(
        data.rename(columns={"PROJECTID": "ACCOUNTID"}, inplace=True)
        data["REGION"] = "-"
    # Rename the column SUBSCRIPTIONID to ACCOUNTID for Azure
-    if data.columns.str.contains("SUBSCRIPTIONID").any():
+    if (
+        data.columns.str.contains("SUBSCRIPTIONID").any()
+        and not data.columns.str.contains("ACCOUNTID").any()
+    ):
        data.rename(columns={"SUBSCRIPTIONID": "ACCOUNTID"}, inplace=True)
        data["REGION"] = "-"
    # Handle v3 azure cis compliance
-    if data.columns.str.contains("SUBSCRIPTION").any():
+    if (
+        data.columns.str.contains("SUBSCRIPTION").any()
+        and not data.columns.str.contains("ACCOUNTID").any()
+    ):
        data.rename(columns={"SUBSCRIPTION": "ACCOUNTID"}, inplace=True)
        data["REGION"] = "-"

    # Filter ACCOUNT
    if account_filter == ["All"]:
        updated_cloud_account_values = data["ACCOUNTID"].unique()
+
    elif "All" in account_filter and len(account_filter) > 1:
        # Remove 'All' from the list
        account_filter.remove("All")
@@ -299,9 +309,11 @@ def display_data(

    account_filter_options = list(data["ACCOUNTID"].unique())
    account_filter_options = account_filter_options + ["All"]
-    for item in account_filter_options:
-        if "nan" in item or item.__class__.__name__ != "str" or item is None:
-            account_filter_options.remove(item)
+    account_filter_options = [
+        item
+        for item in account_filter_options
+        if isinstance(item, str) and item.lower() != "nan"
+    ]

    # Filter REGION
    if region_filter_analytics == ["All"]:
@@ -520,8 +532,8 @@ def get_bar_graph(df, column_name):

    # Cut the text if it is too long
    for i in range(len(colums)):
-        if len(colums[i]) > 15:
-            colums[i] = colums[i][:15] + "..."
+        if len(colums[i]) > 43:
+            colums[i] = colums[i][:43] + "..."

    fig = px.bar(
        df,
@@ -2,7 +2,7 @@

 For technical support or any type of inquiries, you are very welcome to:

- Reach out to community members on the [**Prowler Slack channel**](https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog)
+- Reach out to community members on the [**Prowler Slack channel**](https://goto.prowler.com/slack)

 - Open an Issue or a Pull Request in our [**GitHub repository**](https://github.com/prowler-cloud/prowler).

@@ -160,14 +160,20 @@ else:
 All the checks MUST fill the `report.resource_id` and `report.resource_arn` with the following criteria:

 - AWS
-    - Resource ID -- `report.resource_id`
-        - AWS Account --> Account Number `123456789012`
-        - AWS Resource --> Resource ID / Name
-        - Root resource --> `<root_account>`
-    - Resource ARN -- `report.resource_arn`
-        - AWS Account --> Root ARN `arn:aws:iam::123456789012:root`
-        - AWS Resource --> Resource ARN
-        - Root resource --> Resource Type ARN `f"arn:{service_client.audited_partition}:<service_name>:{service_client.region}:{service_client.audited_account}:<resource_type>"`
+    - Resouce ID and resource ARN:
+        - If the resource audited is the AWS account:
+            - `resource_id` -> AWS Account Number
+            - `resource_arn` -> AWS Account Root ARN
+        - If we can’t get the ARN from the resource audited, we create a valid ARN with the `resource_id` part as the resource audited. Examples:
+            - Bedrock -> `arn:<partition>:bedrock:<region>:<account-id>:model-invocation-logging`
+            - DirectConnect -> `arn:<partition>:directconnect:<region>:<account-id>:dxcon`
+        - If there is no real resource to audit we do the following:
+            - resource_id -> `resource_type/unknown`
+            - resource_arn -> `arn:<partition>:<service>:<region>:<account-id>:<resource_type>/unknown`
+            - Examples:
+                - AWS Security Hub -> `arn:<partition>:security-hub:<region>:<account-id>:hub/unknown`
+                - Access Analyzer -> `arn:<partition>:access-analyzer:<region>:<account-id>:analyzer/unknown`
+                - GuardDuty -> `arn:<partition>:guardduty:<region>:<account-id>:detector/unknown`
 - GCP
    - Resource ID -- `report.resource_id`
        - GCP Resource --> Resource ID
@@ -222,7 +228,7 @@ class ec2_securitygroup_with_many_ingress_egress_rules(Check):
        max_security_group_rules = ec2_client.audit_config.get(
            "max_security_group_rules", 50
        )
-        for security_group in ec2_client.security_groups:
+        for security_group_arn, security_group in ec2_client.security_groups.items():
 ```

 ```yaml title="config.yaml"
@@ -272,7 +278,7 @@ Each Prowler check has metadata associated which is stored at the same level of
  # Severity holds the check's severity, always in lowercase (critical, high, medium, low or informational)
  "Severity": "critical",
  # ResourceType only for AWS, holds the type from here
-  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html
+  # https://docs.aws.amazon.com/securityhub/latest/userguide/asff-resources.html
  "ResourceType": "Other",
  # Description holds the title of the check, for now is the same as CheckTitle
  "Description": "Ensure there are no EC2 AMIs set as Public.",
@@ -14,10 +14,8 @@ Once that is satisfied go ahead and clone your forked repo:
 git clone https://github.com/<your-github-user>/prowler
 cd prowler
 ```
-For isolation and avoid conflicts with other environments, we recommend usage of `poetry`:
-```
-pip install poetry
-```
+For isolation and to avoid conflicts with other environments, we recommend using `poetry`, a Python dependency management tool. You can install it by following the instructions [here](https://python-poetry.org/docs/#installation).
+
 Then install all dependencies including the ones for developers:
 ```
 poetry install --with dev
@@ -50,6 +48,8 @@ You can see all dependencies in file `pyproject.toml`.

 Moreover, you would need to install [`TruffleHog`](https://github.com/trufflesecurity/trufflehog) on the latest version to check for secrets in the code. You can install it using the official installation guide [here](https://github.com/trufflesecurity/trufflehog?tab=readme-ov-file#floppy_disk-installation).

+Additionally, please ensure to follow the code documentation practices outlined in this guide: [Google Python Style Guide - Comments and Docstrings](https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings).
+
 ???+ note
    If you have any trouble when committing to the Prowler repository, add the `--no-verify` flag to the `git commit` command.

@@ -67,4 +67,4 @@ If you create or review a PR in https://github.com/prowler-cloud/prowler please

 ## Want some swag as appreciation for your contribution?

-If you are like us and you love swag, we are happy to thank you for your contribution with some laptop stickers or whatever other swag we may have at that time. Please, tell us more details and your pull request link in our [Slack workspace here](https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog). You can also reach out to Toni de la Fuente on Twitter [here](https://twitter.com/ToniBlyx), his DMs are open.
+If you are like us and you love swag, we are happy to thank you for your contribution with some laptop stickers or whatever other swag we may have at that time. Please, tell us more details and your pull request link in our [Slack workspace here](https://goto.prowler.com/slack). You can also reach out to Toni de la Fuente on Twitter [here](https://twitter.com/ToniBlyx), his DMs are open.
@@ -44,7 +44,6 @@ class Provider(ABC):
    Methods:
        print_credentials(): Displays the provider's credentials used for auditing in the command-line interface.
        setup_session(): Sets up the session for the provider.
-        get_output_mapping(): Returns the output mapping between the provider and the generic model.
        validate_arguments(): Validates the arguments for the provider.
        get_checks_to_execute_by_audit_resources(): Returns a set of checks based on the input resources to scan.

@@ -131,15 +130,6 @@ class Provider(ABC):
        """
        raise NotImplementedError()

-    @abstractmethod
-    def get_output_mapping(self) -> dict:
-        """
-        get_output_mapping returns the output mapping between the provider and the generic model.
-
-        This method needs to be created in each provider.
-        """
-        raise NotImplementedError()
-
    def validate_arguments(self) -> None:
        """
        validate_arguments validates the arguments for the provider.
@@ -200,18 +190,18 @@ from prowler.providers.common.models import Audit_Metadata
 from prowler.providers.common.provider import Provider
 from prowler.providers.<new_provider_name>.models import (
    # All providers models needed
-    ProvierSessionModel,
-    ProvierIdentityModel,
-    ProvierOutputOptionsModel
+    ProviderSessionModel,
+    ProviderIdentityModel,
+    ProviderOutputOptionsModel
 )

 class NewProvider(Provider):
    # All properties from the class, some of this are properties in the base class
    _type: str = "<provider_name>"
-    _session: <ProvierSessionModel>
-    _identity: <ProvierIdentityModel>
+    _session: <ProviderSessionModel>
+    _identity: <ProviderIdentityModel>
    _audit_config: dict
-    _output_options: ProvierOutputOptionsModel
+    _output_options: ProviderOutputOptionsModel
    _mutelist: dict
    audit_metadata: Audit_Metadata

@@ -222,13 +212,13 @@ class NewProvider(Provider):
            arguments (dict): A dictionary containing configuration arguments.
        """
        logger.info("Setting <NewProviderName> provider ...")
-        # First get from arguments the necesary from the cloud acount (subscriptions or projects or whatever the provider use for storing services)
+        # First get from arguments the necessary from the cloud account (subscriptions or projects or whatever the provider use for storing services)

        # Set the session with the method enforced by parent class
        self._session = self.setup_session(credentials_file)

        # Set the Identity class normaly the provider class give by Python provider library
-        self._identity = <ProvierIdentityModel>()
+        self._identity = <ProviderIdentityModel>()

        # Set the provider configuration
        self._audit_config = load_and_validate_config_file(
@@ -264,7 +254,7 @@ class NewProvider(Provider):
            <all_needed_for_auth> Can include all necessary arguments to setup the session

        Returns:
-            Credentials necesary to communicate with the provider.
+            Credentials necessary to communicate with the provider.
        """
        pass

@@ -23,8 +23,8 @@ The Prowler's service structure is the following and the way to initialise it is
 All the Prowler provider's services inherits from a base class depending on the provider used.

 - [AWS Service Base Class](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/lib/service/service.py)
- [GCP Service Base Class](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/azure/lib/service/service.py)
- [Azure Service Base Class](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/gcp/lib/service/service.py)
+- [GCP Service Base Class](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/gcp/lib/service/service.py)
+- [Azure Service Base Class](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/azure/lib/service/service.py)
 - [Kubernetes Service Base Class](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/kubernetes/lib/service/service.py)

 Each class is used to initialize the credentials and the API's clients to be used in the service. If some threading is used it must be coded there.
@@ -592,7 +592,7 @@ is following the actual format, add one function where the client is passed to b
 `mock_api_<endpoint>_calls` (*endpoint* refers to the first attribute pointed after *client*).

 In the example of BigQuery the function is called `mock_api_dataset_calls`. And inside of this function we found an assignation to
-be used in the `__get_datasets__` method in BigQuery class:
+be used in the `_get_datasets` method in BigQuery class:

 ```python
 # Mocking datasets
@@ -765,7 +765,7 @@ from tests.providers.azure.azure_fixtures import (
    set_mocked_azure_provider,
 )

-# Function to mock the service function __get_components__, this function task is to return a possible value that real function could returns
+# Function to mock the service function _get_components, this function task is to return a possible value that real function could returns
 def mock_appinsights_get_components(_):
    return {
        AZURE_SUBSCRIPTION_ID: {
@@ -779,12 +779,12 @@ def mock_appinsights_get_components(_):

 # Patch decorator to use the mocked function instead the function with the real API call
@patch(
-    "prowler.providers.azure.services.appinsights.appinsights_service.AppInsights.__get_components__",
+    "prowler.providers.azure.services.appinsights.appinsights_service.AppInsights._get_components",
    new=mock_appinsights_get_components,
 )
 class Test_AppInsights_Service:
    # Mandatory test for every service, this method test the instance of the client is correct
-    def test__get_client__(self):
+    def test_get_client(self):
        app_insights = AppInsights(set_mocked_azure_provider())
        assert (
            app_insights.clients[AZURE_SUBSCRIPTION_ID].__class__.__name__
@@ -794,8 +794,8 @@ class Test_AppInsights_Service:
    def test__get_subscriptions__(self):
        app_insights = AppInsights(set_mocked_azure_provider())
        assert app_insights.subscriptions.__class__.__name__ == "dict"
-    # Test for the function __get_components__, inside this client is used the mocked function
-    def test__get_components__(self):
+    # Test for the function _get_components, inside this client is used the mocked function
+    def test_get_components(self):
        appinsights = AppInsights(set_mocked_azure_provider())
        assert len(appinsights.components) == 1
        assert (
@@ -71,12 +71,18 @@ To use each one you need to pass the proper flag to the execution. Prowler for A
    - `Policy.Read.All`
    - `UserAuthenticationMethod.Read.All`
 - **Subscription scope permissions**: Required to launch the checks against your resources, mandatory to launch the tool. It is required to add the following RBAC builtin roles per subscription to the entity that is going to be assumed by the tool:
-    - `Security Reader`
    - `Reader`
    - `ProwlerRole` (custom role defined in [prowler-azure-custom-role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json))

 To assign the permissions, follow the instructions in the [Microsoft Entra ID permissions](../tutorials/azure/create-prowler-service-principal.md#assigning-the-proper-permissions) section and the [Azure subscriptions permissions](../tutorials/azure/subscriptions.md#assigning-proper-permissions) section, respectively.

+#### Checks that require ProwlerRole
+
+The following checks require the `ProwlerRole` custom role to be executed, if you want to run them, make sure you have assigned the role to the identity that is going to be assumed by Prowler:
+
+- `app_function_access_keys_configured`
+- `app_function_ftps_deployment_disabled`
+
 ## Google Cloud

 ### Authentication
@@ -19,14 +19,40 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe
 ## Quick Start
 ### Installation

-Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/), thus can be installed using pip with `Python >= 3.9`:
+Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/), thus can be installed as Python package with `Python >= 3.9`:

-=== "Generic"
+=== "pipx"
+
+    [pipx](https://pipx.pypa.io/stable/) is a tool to install Python applications in isolated environments. It is recommended to use `pipx` for a global installation.

    _Requirements_:

    * `Python >= 3.9`
-    * `Python pip >= 3.9`
+    * `pipx` installed: [pipx installation](https://pipx.pypa.io/stable/installation/).
+    * AWS, GCP, Azure and/or Kubernetes credentials
+
+    _Commands_:
+
+    ``` bash
+    pipx install prowler
+    prowler -v
+    ```
+
+    To upgrade Prowler to the latest version, run:
+
+    ``` bash
+    pipx upgrade prowler
+    ```
+
+=== "pip"
+
+    ???+ warning
+        This method is not recommended because it will modify the environment which you choose to install. Consider using [pipx](https://docs.prowler.com/projects/prowler-open-source/en/latest/#__tabbed_1_1) for a global installation.
+
+    _Requirements_:
+
+    * `Python >= 3.9`
+    * `Python pip >= 21.0.0`
    * AWS, GCP, Azure and/or Kubernetes credentials

    _Commands_:
@@ -36,13 +62,19 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),
    prowler -v
    ```

+    To upgrade Prowler to the latest version, run:
+
+    ``` bash
+    pip install --upgrade prowler
+    ```
+
 === "Docker"

    _Requirements_:

    * Have `docker` installed: https://docs.docker.com/get-docker/.
-    * AWS, GCP, Azure and/or Kubernetes credentials
    * In the command below, change `-v` to your local directory path in order to access the reports.
+    * AWS, GCP, Azure and/or Kubernetes credentials

    _Commands_:

@@ -54,41 +86,21 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),
    --env AWS_SESSION_TOKEN toniblyx/prowler:latest
    ```

-=== "Ubuntu"
-
-    _Requirements for Ubuntu 20.04.3 LTS_:
-
-    * AWS, GCP, Azure and/or Kubernetes credentials
-    * Install python 3.9 with: `sudo apt-get install python3.9`
-    * Remove python 3.8 to avoid conflicts if you can: `sudo apt-get remove python3.8`
-    * Make sure you have the python3 distutils package installed: `sudo apt-get install python3-distutils`
-    * To make sure you use pip for 3.9 get the get-pip script with: `curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py`
-    * Execute it with the proper python version: `sudo python3.9 get-pip.py`
-    * Now you should have pip for 3.9 ready: `pip3.9 --version`
-
-    _Commands_:
-
-    ```
-    pip3.9 install prowler
-    export PATH=$PATH:/home/$HOME/.local/bin/
-    prowler -v
-    ```
-
 === "GitHub"

    _Requirements for Developers_:

+    * `git`
+    * `poetry` installed: [poetry installation](https://python-poetry.org/docs/#installation).
    * AWS, GCP, Azure and/or Kubernetes credentials
-    * `git`, `Python >= 3.9`, `pip` and `poetry` installed (`pip install poetry`)

    _Commands_:

    ```
    git clone https://github.com/prowler-cloud/prowler
    cd prowler
-    poetry shell
    poetry install
-    python prowler.py -v
+    poetry run python prowler.py -v
    ```
    ???+ note
        If you want to clone Prowler from Windows, use `git config core.longpaths true` to allow long file paths.
@@ -97,15 +109,33 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),

    _Requirements_:

+    * `Python >= 3.9`
    * AWS, GCP, Azure and/or Kubernetes credentials
-    * Latest Amazon Linux 2 should come with Python 3.9 already installed however it may need pip. Install Python pip 3.9 with: `sudo yum install -y python3-pip`.
-    * Make sure setuptools for python is already installed with: `pip3 install setuptools`

    _Commands_:

    ```
-    pip3.9 install prowler
-    export PATH=$PATH:/home/$HOME/.local/bin/
+    python3 -m pip install --user pipx
+    python3 -m pipx ensurepath
+    pipx install prowler
+    prowler -v
+    ```
+
+=== "Ubuntu"
+
+    _Requirements_:
+
+    * `Ubuntu 23.04` or above, if you are using an older version of Ubuntu check [pipx installation](https://docs.prowler.com/projects/prowler-open-source/en/latest/#__tabbed_1_1) and ensure you have `Python >= 3.9`.
+    * `Python >= 3.9`
+    * AWS, GCP, Azure and/or Kubernetes credentials
+
+    _Commands_:
+
+    ``` bash
+    sudo apt update
+    sudo apt install pipx
+    pipx ensurepath
+    pipx install prowler
    prowler -v
    ```

@@ -125,7 +155,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),

 === "AWS CloudShell"

-    After the migration of AWS CloudShell from Amazon Linux 2 to Amazon Linux 2023 [[1]](https://aws.amazon.com/about-aws/whats-new/2023/12/aws-cloudshell-migrated-al2023/) [2](https://docs.aws.amazon.com/cloudshell/latest/userguide/cloudshell-AL2023-migration.html), there is no longer a need to manually compile Python 3.9 as it's already included in AL2023. Prowler can thus be easily installed following the Generic method of installation via pip. Follow the steps below to successfully execute Prowler v4 in AWS CloudShell:
+    After the migration of AWS CloudShell from Amazon Linux 2 to Amazon Linux 2023 [[1]](https://aws.amazon.com/about-aws/whats-new/2023/12/aws-cloudshell-migrated-al2023/) [[2]](https://docs.aws.amazon.com/cloudshell/latest/userguide/cloudshell-AL2023-migration.html), there is no longer a need to manually compile Python 3.9 as it's already included in AL2023. Prowler can thus be easily installed following the Generic method of installation via pip. Follow the steps below to successfully execute Prowler v4 in AWS CloudShell:

    _Requirements_:

@@ -133,11 +163,13 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),

    _Commands_:

-    ```
+    ```bash
    sudo bash
    adduser prowler
    su prowler
-    pip install prowler
+    python3 -m pip install --user pipx
+    python3 -m pipx ensurepath
+    pipx install prowler
    cd /tmp
    prowler aws
    ```
@@ -153,9 +185,12 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),

    _Commands_:

-    ```
-    pip install prowler
-    prowler -v
+    ```bash
+    python3 -m pip install --user pipx
+    python3 -m pipx ensurepath
+    pipx install prowler
+    cd /tmp
+    prowler azure --az-cli-auth
    ```

 ## Prowler container versions
@@ -4,21 +4,25 @@ Prowler allows you to do threat detection in AWS based on the CloudTrail log rec
 ```
 prowler aws --category threat-detection
 ```
-This comand will run these checks:
+This command will run these checks:

-* `cloudtrail_threat_detection_privilege_escalation`
-* `cloudtrail_threat_detection_enumeration`
+* `cloudtrail_threat_detection_privilege_escalation` -> Detects privilege escalation attacks.
+* `cloudtrail_threat_detection_enumeration` -> Detects enumeration attacks.
+* `cloudtrail_threat_detection_llm_jacking` -> Detects LLM Jacking attacks.

 ???+ note
-    Threat Detection checks will be only executed using `--category threat-detection` flag due to preformance.
+    Threat Detection checks will be only executed using `--category threat-detection` flag due to performance.

 ## Config File

 If you want to manage the behavior of the Threat Detection checks you can edit `config.yaml` file from `/prowler/config`. In this file you can edit the following attributes related with Threat Detection:

-* `threat_detection_privilege_escalation_threshold`: determines the percentage of actions found to decide if it is an privilege_scalation attack event, by default is 0.1 (10%)
+* `threat_detection_privilege_escalation_threshold`: determines the percentage of actions found to decide if it is an privilege_scalation attack event, by default is 0.2 (20%)
 * `threat_detection_privilege_escalation_minutes`: it is the past minutes to search from now for privilege_escalation attacks, by default is 1440 minutes (24 hours)
-* `threat_detection_privilege_escalation_actions`: these are the default actions related with priviledge scalation.
-* `threat_detection_enumeration_threshold`: determines the percentage of actions found to decide if it is an enumeration attack event, by default is 0.1 (10%)
+* `threat_detection_privilege_escalation_actions`: these are the default actions related with privilege escalation.
+* `threat_detection_enumeration_threshold`: determines the percentage of actions found to decide if it is an enumeration attack event, by default is 0.3 (30%)
 * `threat_detection_enumeration_minutes`: it is the past minutes to search from now for enumeration attacks, by default is 1440 minutes (24 hours)
 * `threat_detection_enumeration_actions`: these are the default actions related with enumeration attacks.
+* `threat_detection_llm_jacking_threshold`: determines the percentage of actions found to decide if it is an LLM Jacking attack event, by default is 0.4 (40%)
+* `threat_detection_llm_jacking_minutes`: it is the past minutes to search from now for LLM Jacking attacks, by default is 1440 minutes (24 hours)
+* `threat_detection_llm_jacking_actions`: these are the default actions related with LLM Jacking attacks.
@@ -11,25 +11,21 @@ Where you can pass from 1 up to N subscriptions to be scanned.

 ## Assigning proper permissions

-Regarding the subscription scope, Prowler by default scans all the subscriptions that is able to list, so it is required to add the following RBAC builtin roles per subscription to the entity that is going to be assumed by the tool:
-
- `Security Reader`
- `Reader`
+Regarding the subscription scope, Prowler by default scans all subscriptions that it is able to list, so it is necessary to add the `Reader` RBAC built-in roles per subscription or management group (recommended for multiple subscriptions, see it in the [next section](#recommendation-for-multiple-subscriptions)) to the entity that will be adopted by the tool:

 To assign this roles, follow the instructions:

 1. Access your subscription, then select your subscription.
 2. Select "Access control (IAM)".
 3. In the overview, select "Roles".
-  ![IAM Page](../../img/page-IAM.png)
 4. Click on "+ Add" and select "Add role assignment".
-5. In the search bar, type `Security Reader`, select it and click on "Next".
+5. In the search bar, type `Reader`, select it and click on "Next".
 6. In the Members tab, click on "+ Select members" and add the members you want to assign this role.
 7. Click on "Review + assign" to apply the new role.

-*Repeat these steps for `Reader` role*
+![Add reader role to subscription](../../img/add-reader-role.gif)

-Moreover, some additional read-only permissions are needed for some checks, for this kind of checks that are not covered by built-in roles we use a custom role. This role is defined in [prowler-azure-custom-role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json). Please be sure to change the `assignableScopes` field for your subscriptions or management group. Once the cusotm role is created, repeat the steps mentioned above to assign the new `ProwlerRole` to an identity.
+Moreover, some additional read-only permissions are needed for some checks, for this kind of checks that are not covered by built-in roles we use a custom role. This role is defined in [prowler-azure-custom-role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json). Once the cusotm role is created, repeat the steps mentioned above to assign the new `ProwlerRole` to an identity.

 ## Recommendation for multiple subscriptions

@@ -7,7 +7,6 @@ At the time of writing this documentation the available Azure Clouds from differ
 - AzureCloud
 - AzureChinaCloud
 - AzureUSGovernment
- AzureGermanCloud

 If you want to change the default one you must include the flag `--azure-region`, i.e.:

@@ -13,36 +13,55 @@ The following list includes all the AWS checks with configurable variables that

 | Check Name                                                    | Value                                            | Type            |
 |---------------------------------------------------------------|--------------------------------------------------|-----------------|
-| `iam_user_accesskey_unused`                                   | `max_unused_access_keys_days`                    | Integer         |
-| `iam_user_console_access_unused`                              | `max_console_access_days`                        | Integer         |
-| `ec2_elastic_ip_shodan`                                       | `shodan_api_key`                                 | String          |
-| `ec2_securitygroup_with_many_ingress_egress_rules`            | `max_security_group_rules`                       | Integer         |
-| `ec2_instance_older_than_specific_days`                       | `max_ec2_instance_age_in_days`                   | Integer         |
-| `vpc_endpoint_connections_trust_boundaries`                   | `trusted_account_ids`                            | List of Strings |
-| `vpc_endpoint_services_allowed_principals_trust_boundaries`   | `trusted_account_ids`                            | List of Strings |
-| `cloudwatch_log_group_retention_policy_specific_days_enabled` | `log_group_retention_days`                       | Integer         |
-| `appstream_fleet_session_idle_disconnect_timeout`             | `max_idle_disconnect_timeout_in_seconds`         | Integer         |
-| `appstream_fleet_session_disconnect_timeout`                  | `max_disconnect_timeout_in_seconds`              | Integer         |
+| `acm_certificates_expiration_check`                           | `days_to_expire_threshold`                       | Integer         |
 | `appstream_fleet_maximum_session_duration`                    | `max_session_duration_seconds`                   | Integer         |
+| `appstream_fleet_session_disconnect_timeout`                  | `max_disconnect_timeout_in_seconds`              | Integer         |
+| `appstream_fleet_session_idle_disconnect_timeout`             | `max_idle_disconnect_timeout_in_seconds`         | Integer         |
+| `autoscaling_find_secrets_ec2_launch_configuration`           | `secrets_ignore_patterns`                        | List of Strings |
+| `awslambda_function_no_secrets_in_code`                       | `secrets_ignore_patterns`                        | List of Strings |
+| `awslambda_function_no_secrets_in_variables`                  | `secrets_ignore_patterns`                        | List of Strings |
 | `awslambda_function_using_supported_runtimes`                 | `obsolete_lambda_runtimes`                       | Integer         |
-| `organizations_scp_check_deny_regions`                        | `organizations_enabled_regions`                  | List of Strings |
-| `organizations_delegated_administrators`                      | `organizations_trusted_delegated_administrators` | List of Strings |
-| `ecr_repositories_scan_vulnerabilities_in_latest_image`       | `ecr_repository_vulnerability_minimum_severity`  | String          |
-| `trustedadvisor_premium_support_plan_subscribed`              | `verify_premium_support_plans`                   | Boolean         |
-| `config_recorder_all_regions_enabled`                         | `mute_non_default_regions`                       | Boolean         |
-| `drs_job_exist`                                               | `mute_non_default_regions`                       | Boolean         |
-| `guardduty_is_enabled`                                        | `mute_non_default_regions`                       | Boolean         |
-| `securityhub_enabled`                                         | `mute_non_default_regions`                       | Boolean         |
-| `cloudtrail_threat_detection_privilege_escalation`            | `threat_detection_privilege_escalation_entropy`  | Integer         |
-| `cloudtrail_threat_detection_privilege_escalation`            | `threat_detection_privilege_escalation_minutes`  | Integer         |
-| `cloudtrail_threat_detection_privilege_escalation`            | `threat_detection_privilege_escalation_actions`  | List of Strings |
+| `awslambda_function_vpc_is_in_multi_azs`                      | `lambda_min_azs`                                 | Integer         |
+| `cloudformation_stack_outputs_find_secrets`                   | `secrets_ignore_patterns`                        | List of Strings |
+| `cloudtrail_threat_detection_enumeration`                     | `threat_detection_enumeration_actions`           | List of Strings |
 | `cloudtrail_threat_detection_enumeration`                     | `threat_detection_enumeration_entropy`           | Integer         |
 | `cloudtrail_threat_detection_enumeration`                     | `threat_detection_enumeration_minutes`           | Integer         |
-| `cloudtrail_threat_detection_enumeration`                     | `threat_detection_enumeration_actions`           | List of Strings |
-| `rds_instance_backup_enabled`                                 | `check_rds_instance_replicas`                    | Boolean         |
-| `ec2_securitygroup_allow_ingress_from_internet_to_any_port`   | `ec2_allowed_interface_types`                    | List of Strings |
+| `cloudtrail_threat_detection_privilege_escalation`            | `threat_detection_privilege_escalation_actions`  | List of Strings |
+| `cloudtrail_threat_detection_privilege_escalation`            | `threat_detection_privilege_escalation_entropy`  | Integer         |
+| `cloudtrail_threat_detection_privilege_escalation`            | `threat_detection_privilege_escalation_minutes`  | Integer         |
+| `cloudwatch_log_group_no_secrets_in_logs`                     | `secrets_ignore_patterns`                        | List of Strings |
+| `cloudwatch_log_group_retention_policy_specific_days_enabled` | `log_group_retention_days`                       | Integer         |
+| `codebuild_project_no_secrets_in_variables`                   | `excluded_sensitive_environment_variables`       | List of Strings |
+| `codebuild_project_no_secrets_in_variables`                   | `secrets_ignore_patterns`                        | List of Strings |
+| `config_recorder_all_regions_enabled`                         | `mute_non_default_regions`                       | Boolean         |
+| `drs_job_exist`                                               | `mute_non_default_regions`                       | Boolean         |
+| `ec2_elastic_ip_shodan`                                       | `shodan_api_key`                                 | String          |
+| `ec2_instance_older_than_specific_days`                       | `max_ec2_instance_age_in_days`                   | Integer         |
+| `ec2_instance_secrets_user_data`                              | `secrets_ignore_patterns`                        | List of Strings |
+| `ec2_launch_template_no_secrets`                              | `secrets_ignore_patterns`                        | List of Strings |
 | `ec2_securitygroup_allow_ingress_from_internet_to_any_port`   | `ec2_allowed_instance_owners`                    | List of Strings |
-| `acm_certificates_expiration_check`                           | `days_to_expire_threshold`                       | Integer         |
+| `ec2_securitygroup_allow_ingress_from_internet_to_any_port`   | `ec2_allowed_interface_types`                    | List of Strings |
+| `ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports`| `ec2_sg_high_risk_ports`                 | List of Integer |
+| `ec2_securitygroup_with_many_ingress_egress_rules`            | `max_security_group_rules`                       | Integer         |
+| `ecs_task_definitions_no_environment_secrets`                 | `secrets_ignore_patterns`                        | List of Strings |
+| `ecr_repositories_scan_vulnerabilities_in_latest_image`       | `ecr_repository_vulnerability_minimum_severity`  | String          |
+| `eks_cluster_uses_a_supported_version`                        | `eks_cluster_oldest_version_supported`           | String          |
+| `eks_control_plane_logging_all_types_enabled`                 | `eks_required_log_types`                         | List of Strings |
+| `elb_is_in_multiple_az`                                       | `elb_min_azs`                                    | Integer         |
+| `elbv2_is_in_multiple_az`                                     | `elbv2_min_azs`                                  | Integer         |
+| `guardduty_is_enabled`                                        | `mute_non_default_regions`                       | Boolean         |
+| `iam_user_accesskey_unused`                                   | `max_unused_access_keys_days`                    | Integer         |
+| `iam_user_console_access_unused`                              | `max_console_access_days`                        | Integer         |
+| `organizations_delegated_administrators`                      | `organizations_trusted_delegated_administrators` | List of Strings |
+| `organizations_scp_check_deny_regions`                        | `organizations_enabled_regions`                  | List of Strings |
+| `rds_instance_backup_enabled`                                 | `check_rds_instance_replicas`                    | Boolean         |
+| `securityhub_enabled`                                         | `mute_non_default_regions`                       | Boolean         |
+| `secretsmanager_secret_unused`                                | `max_days_secret_unused`                         | Integer         |
+| `secretsmanager_secret_rotated_periodically`                  | `max_days_secret_unrotated`                      | Integer         |
+| `ssm_document_secrets`                                        | `secrets_ignore_patterns`                        | List of Strings |
+| `trustedadvisor_premium_support_plan_subscribed`              | `verify_premium_support_plans`                   | Boolean         |
+| `vpc_endpoint_connections_trust_boundaries`                   | `trusted_account_ids`                            | List of Strings |
+| `vpc_endpoint_services_allowed_principals_trust_boundaries`   | `trusted_account_ids`                            | List of Strings |


 ## Azure
@@ -124,8 +143,24 @@ aws:
    [
        "amazon-elb"
    ]
+  # aws.ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports
+  ec2_sg_high_risk_ports:
+    [
+        25,
+        110,
+        135,
+        143,
+        445,
+        3000,
+        4333,
+        5000,
+        5500,
+        8080,
+        8088,
+    ]

  # AWS VPC Configuration (vpc_endpoint_connections_trust_boundaries, vpc_endpoint_services_allowed_principals_trust_boundaries)
+  # AWS SSM Configuration (aws.ssm_documents_set_as_public)
  # Single account environment: No action required. The AWS account number will be automatically added by the checks.
  # Multi account environment: Any additional trusted account number should be added as a space separated list, e.g.
  # trusted_account_ids : ["123456789012", "098765432109", "678901234567"]
@@ -193,7 +228,7 @@ aws:

  # AWS CloudTrail Configuration
  # aws.cloudtrail_threat_detection_privilege_escalation
-  threat_detection_privilege_escalation_threshold: 0.1 # Percentage of actions found to decide if it is an privilege_escalation attack event, by default is 0.1 (10%)
+  threat_detection_privilege_escalation_threshold: 0.2 # Percentage of actions found to decide if it is an privilege_escalation attack event, by default is 0.2 (20%)
  threat_detection_privilege_escalation_minutes: 1440 # Past minutes to search from now for privilege_escalation attacks, by default is 1440 minutes (24 hours)
  threat_detection_privilege_escalation_actions:
    [
@@ -250,7 +285,7 @@ aws:
      "UpdateLoginProfile",
    ]
  # aws.cloudtrail_threat_detection_enumeration
-  threat_detection_enumeration_threshold: 0.1 # Percentage of actions found to decide if it is an enumeration attack event, by default is 0.1 (10%)
+  threat_detection_enumeration_threshold: 0.3 # Percentage of actions found to decide if it is an enumeration attack event, by default is 0.3 (30%)
  threat_detection_enumeration_minutes: 1440 # Past minutes to search from now for enumeration attacks, by default is 1440 minutes (24 hours)
  threat_detection_enumeration_actions:
    [
@@ -345,6 +380,24 @@ aws:
      "LookupEvents",
      "Search",
    ]
+  # aws.cloudtrail_threat_detection_llm_jacking
+  threat_detection_llm_jacking_threshold: 0.4 # Percentage of actions found to decide if it is an LLM Jacking attack event, by default is 0.4 (40%)
+  threat_detection_llm_jacking_minutes: 1440 # Past minutes to search from now for LLM Jacking attacks, by default is 1440 minutes (24 hours)
+  threat_detection_llm_jacking_actions:
+    [
+    "PutUseCaseForModelAccess",  # Submits a use case for model access, providing justification (Write).
+    "PutFoundationModelEntitlement",  # Grants entitlement for accessing a foundation model (Write).
+    "PutModelInvocationLoggingConfiguration", # Configures logging for model invocations (Write).
+    "CreateFoundationModelAgreement",  # Creates a new agreement to use a foundation model (Write).
+    "InvokeModel",  # Invokes a specified Bedrock model for inference using provided prompt and parameters (Read).
+    "InvokeModelWithResponseStream",  # Invokes a Bedrock model for inference with real-time token streaming (Read).
+    "GetUseCaseForModelAccess",  # Retrieves an existing use case for model access (Read).
+    "GetModelInvocationLoggingConfiguration",  # Fetches the logging configuration for model invocations (Read).
+    "GetFoundationModelAvailability",  # Checks the availability of a foundation model for use (Read).
+    "ListFoundationModelAgreementOffers",  # Lists available agreement offers for accessing foundation models (List).
+    "ListFoundationModels",  # Lists the available foundation models in Bedrock (List).
+    "ListProvisionedModelThroughputs",  # Lists the provisioned throughput for previously created models (List).
+    ]

  # AWS RDS Configuration
  # aws.rds_instance_backup_enabled
@@ -355,6 +408,30 @@ aws:
  # aws.acm_certificates_expiration_check
  days_to_expire_threshold: 7

+  # AWS EKS Configuration
+  # aws.eks_control_plane_logging_all_types_enabled
+  # EKS control plane logging types that must be enabled
+  eks_required_log_types:
+    [
+      "api",
+      "audit",
+      "authenticator",
+      "controllerManager",
+      "scheduler",
+    ]
+
+  # aws.eks_cluster_uses_a_supported_version
+  # EKS clusters must be version 1.28 or higher
+  eks_cluster_oldest_version_supported: "1.28"
+
+  # AWS CodeBuild Configuration
+  # aws.codebuild_project_no_secrets_in_variables
+  # CodeBuild sensitive variables that are excluded from the check
+  excluded_sensitive_environment_variables:
+    [
+
+    ]
+
 # Azure Configuration
 azure:
  # Azure Network Configuration
@@ -10,9 +10,11 @@ prowler dashboard
 To run Prowler local dashboard with Docker, use:

 ```sh
-docker run --env HOST=0.0.0.0 --publish 127.0.0.1:11666:11666 toniblyx/prowler:latest dashboard
+docker run -v /your/local/dir/prowler-output:/home/prowler/output --env HOST=0.0.0.0 --publish 127.0.0.1:11666:11666 toniblyx/prowler:latest dashboard
 ```

+Make sure you update the `/your/local/dir/prowler-output` to match the path that contains your prowler output.
+
 ???+ note
    **Remember that the `dashboard` server is not authenticated, if you expose it to the internet, you are running it at your own risk.**

@@ -13,7 +13,7 @@ prowler <provider> -c <check_to_fix_1> <check_to_fix_2> ... --fixer
    ```sh
    prowler <provider> --list-fixers
    ```
-
+It's important to note that using the fixers for `Access Analyzer`, `GuardDuty`, and `SecurityHub` may incur additional costs. These AWS services might trigger actions or deploy resources that can lead to charges on your AWS account.
 ## Writing a Fixer
 To write a fixer, you need to create a file called `<check_id>_fixer.py` inside the check folder, with a function called `fixer` that receives either the region or the resource to be fixed as a parameter, and returns a boolean value indicating if the fix was successful or not.

@@ -0,0 +1,22 @@
+# GCP Organization
+
+By default, Prowler scans all Google Cloud projects accessible to the authenticated user.
+
+To limit the scan to projects within a specific Google Cloud organization, use the `--organization-id` option with the GCP organization ID:
+
+```console
+prowler gcp --organization-id organization-id
+```
+
+???+ warning
+    Make sure that the used credentials have the role Cloud Asset Viewer (`roles/cloudasset.viewer`) or Cloud Asset Owner (`roles/cloudasset.owner`) on the organization level.
+
+???+ note
+    With this option, Prowler retrieves all projects within the specified organization, including those organized in folders and nested subfolders. This ensures that every project under the organization’s hierarchy is scanned, providing full visibility across the entire organization.
+
+???+ note
+    To find the organization ID, use the following command:
+
+    ```console
+    gcloud organizations list
+    ```
@@ -10,7 +10,7 @@ Execute Prowler in verbose mode (like in Version 2):
 prowler <provider> --verbose
 ```
 ## Filter findings by status
-Prowler can filter the findings by their status:
+Prowler can filter the findings by their status, so you can see only in the CLI and in the reports the findings with a specific status:
 ```console
 prowler <provider> --status [PASS, FAIL, MANUAL]
 ```
@@ -24,6 +24,11 @@ Prowler can run without showing its banner:
 ```console
 prowler <provider> -b/--no-banner
 ```
+## Disable Colors
+Prowler can run without showing colors:
+```console
+prowler <provider> --no-color
+```
 ## Checks
 Prowler has checks per provider, there are options related with them:

@@ -120,5 +125,5 @@ prowler <provider> --list-categories
 ```
 - Execute specific category(s):
 ```console
-prowler  <provider> --categories
+prowler  <provider> --categories secrets
 ```
@@ -7,97 +7,155 @@ Mutelist option works along with other options and will modify the output in the
 - CSV: `muted` is `True`. The field `status` will keep the original status, `MANUAL`, `PASS` or `FAIL`, of the finding.


-You can use `-w`/`--mutelist-file` with the path of your mutelist yaml file:
+## How the Mutelist Works
+
+The **Mutelist** uses both "AND" and "OR" logic to determine which resources, checks, regions, and tags should be muted. For each check, the Mutelist evaluates whether the account, region, and resource match the specified criteria using "AND" logic. If tags are specified, the Mutelist can apply either "AND" or "OR" logic.
+
+If any of the criteria do not match, the check is not muted.
+
+???+ note
+    Remember that mutelist can be used with regular expressions.
+
+## Mutelist Specification
+
+???+ note
+    - For Azure provider, the Account ID is the Subscription Name and the Region is the Location.
+    - For GCP provider, the Account ID is the Project ID and the Region is the Zone.
+    - For Kubernetes provider, the Account ID is the Cluster Name and the Region is the Namespace.
+
+The Mutelist file uses the [YAML](https://en.wikipedia.org/wiki/YAML) format with the following syntax:
+
+```yaml
+### Account, Check and/or Region can be * to apply for all the cases.
+### Resources and tags are lists that can have either Regex or Keywords.
+### Tags is an optional list that matches on tuples of 'key=value' and are "ANDed" together.
+### Use an alternation Regex to match one of multiple tags with "ORed" logic.
+### For each check you can except Accounts, Regions, Resources and/or Tags.
+###########################  MUTELIST EXAMPLE  ###########################
+Mutelist:
+  Accounts:
+    "123456789012":
+      Checks:
+        "iam_user_hardware_mfa_enabled":
+          Regions:
+            - "us-east-1"
+          Resources:
+            - "user-1"           # Will mute user-1 in check iam_user_hardware_mfa_enabled
+            - "user-2"           # Will mute user-2 in check iam_user_hardware_mfa_enabled
+        "ec2_*":
+          Regions:
+            - "*"
+          Resources:
+            - "*"                 # Will mute every EC2 check in every account and region
+        "*":
+          Regions:
+            - "*"
+          Resources:
+            - "test"
+          Tags:
+            - "test=test"         # Will mute every resource containing the string "test" and the tags 'test=test' and
+            - "project=test|project=stage" # either of ('project=test' OR project=stage) in account 123456789012 and every region
+        "*":
+            Regions:
+              - "*"
+            Resources:
+              - "test"
+            Tags:
+              - "test=test"
+              - "project=test"    # This will mute every resource containing the string "test" and BOTH tags at the same time.
+        "*":
+            Regions:
+              - "*"
+            Resources:
+              - "test"
+            Tags:                 # This will mute every resource containing the string "test" and the ones that contain EITHER the `test=test` OR `project=test` OR `project=dev`
+              - "test=test|project=(test|dev)"
+        "*":
+            Regions:
+              - "*"
+            Resources:
+              - "test"
+            Tags:
+              - "test=test"       # This will mute every resource containing the string "test" and the tags `test=test` and either `project=test` OR `project=stage` in every account and region.
+              - "project=test|project=stage"
+
+    "*":
+      Checks:
+        "s3_bucket_object_versioning":
+          Regions:
+            - "eu-west-1"
+            - "us-east-1"
+          Resources:
+            - "ci-logs"           # Will mute bucket "ci-logs" AND ALSO bucket "ci-logs-replica" in specified check and regions
+            - "logs"              # Will mute EVERY BUCKET containing the string "logs" in specified check and regions
+            - ".+-logs"           # Will mute all buckets containing the terms ci-logs, qa-logs, etc. in specified check and regions
+        "ecs_task_definitions_no_environment_secrets":
+          Regions:
+            - "*"
+          Resources:
+            - "*"
+          Exceptions:
+            Accounts:
+              - "0123456789012"
+            Regions:
+              - "eu-west-1"
+              - "eu-south-2"        # Will mute every resource in check ecs_task_definitions_no_environment_secrets except the ones in account 0123456789012 located in eu-south-2 or eu-west-1
+        "*":
+          Regions:
+            - "*"
+          Resources:
+            - "*"
+          Tags:
+            - "environment=dev"    # Will mute every resource containing the tag 'environment=dev' in every account and region
+
+    "123456789012":
+      Checks:
+        "*":
+          Regions:
+            - "*"
+          Resources:
+            - "*"
+          Exceptions:
+            Resources:
+              - "test"
+            Tags:
+              - "environment=prod"   # Will mute every resource except in account 123456789012 except the ones containing the string "test" and tag environment=prod
+
+    "*":
+      Checks:
+        "ec2_*":
+          Regions:
+            - "*"
+          Resources:
+            - "test-resource" # Will mute the resource "test-resource" in all accounts and regions for whatever check from the EC2 service
+```
+
+### Account, Check, Region, Resource, and Tag
+
+| Field | Description | Logic |
+|----------|----------|----------|
+| `account_id`    | Use `*` to apply the mutelist to all accounts.    | `ANDed`    |
+| `check_name`    | The name of the Prowler check. Use `*` to apply the mutelist to all checks, or `service_*` to apply it to all service's checks.    | `ANDed`    |
+| `region`    | The region identifier. Use `*` to apply the mutelist to all regions.    | `ANDed`    |
+| `resource`    | The resource identifier. Use `*` to apply the mutelist to all resources.    | `ANDed`    |
+| `tag`    | The tag value.    | `ORed`    |
+
+
+## How to Use the Mutelist
+
+To use the Mutelist, you need to specify the path to the Mutelist YAML file using the `-w` or `--mutelist-file` option when running Prowler:
+
 ```
 prowler <provider> -w mutelist.yaml
 ```

-## Mutelist YAML File Syntax
+Replace `<provider>` with the appropriate provider name.

-???+ note
-    For Azure provider, the Account ID is the Subscription Name and the Region is the Location.
+## Considerations

-???+ note
-    For GCP provider, the Account ID is the Project ID and the Region is the Zone.
+- The Mutelist can be used in combination with other Prowler options, such as the `--service` or `--checks` option, to further customize the scanning process.
+- Make sure to review and update the Mutelist regularly to ensure it reflects the desired exclusions and remains up to date with your infrastructure.

-???+ note
-    For Kubernetes provider, the Account ID is the Cluster Name and the Region is the Namespace.
-
-The Mutelist file is a YAML file with the following syntax:
-
-```yaml
-    ### Account, Check and/or Region can be * to apply for all the cases.
-    ### Resources and tags are lists that can have either Regex or Keywords.
-    ### Tags is an optional list that matches on tuples of 'key=value' and are "ANDed" together.
-    ### Use an alternation Regex to match one of multiple tags with "ORed" logic.
-    ### For each check you can except Accounts, Regions, Resources and/or Tags.
-    ###########################  MUTELIST EXAMPLE  ###########################
-    Mutelist:
-      Accounts:
-        "123456789012":
-          Checks:
-            "iam_user_hardware_mfa_enabled":
-              Regions:
-                - "us-east-1"
-              Resources:
-                - "user-1"           # Will ignore user-1 in check iam_user_hardware_mfa_enabled
-                - "user-2"           # Will ignore user-2 in check iam_user_hardware_mfa_enabled
-            "ec2_*":
-              Regions:
-                - "*"
-              Resources:
-                - "*"                 # Will ignore every EC2 check in every account and region
-            "*":
-              Regions:
-                - "*"
-              Resources:
-                - "test"
-              Tags:
-                - "test=test"         # Will ignore every resource containing the string "test" and the tags 'test=test' and
-                - "project=test|project=stage" # either of ('project=test' OR project=stage) in account 123456789012 and every region
-
-        "*":
-          Checks:
-            "s3_bucket_object_versioning":
-              Regions:
-                - "eu-west-1"
-                - "us-east-1"
-              Resources:
-                - "ci-logs"           # Will ignore bucket "ci-logs" AND ALSO bucket "ci-logs-replica" in specified check and regions
-                - "logs"              # Will ignore EVERY BUCKET containing the string "logs" in specified check and regions
-                - ".+-logs"           # Will ignore all buckets containing the terms ci-logs, qa-logs, etc. in specified check and regions
-            "ecs_task_definitions_no_environment_secrets":
-              Regions:
-                - "*"
-              Resources:
-                - "*"
-              Exceptions:
-                Accounts:
-                  - "0123456789012"
-                Regions:
-                  - "eu-west-1"
-                  - "eu-south-2"        # Will ignore every resource in check ecs_task_definitions_no_environment_secrets except the ones in account 0123456789012 located in eu-south-2 or eu-west-1
-            "*":
-              Regions:
-                - "*"
-              Resources:
-                - "*"
-              Tags:
-                - "environment=dev"    # Will ignore every resource containing the tag 'environment=dev' in every account and region
-
-        "123456789012":
-          Checks:
-            "*":
-              Regions:
-                - "*"
-              Resources:
-                - "*"
-              Exceptions:
-                Resources:
-                  - "test"
-                Tags:
-                  - "environment=prod"   # Will ignore every resource except in account 123456789012 except the ones containing the string "test" and tag environment=prod
-```

 ## AWS Mutelist
 ### Mute specific AWS regions
@@ -0,0 +1,36 @@
+
+# Prowler Check Kreator
+
+???+ note
+    Currently, this tool is only available for creating checks for the AWS provider.
+
+**Prowler Check Kreator** is a utility designed to streamline the creation of new checks for Prowler. This tool generates all necessary files required to add a new check to the Prowler repository. Specifically, it creates:
+
+- A dedicated folder for the check.
+- The main check script.
+- A metadata file with essential details.
+- A folder and file structure for testing the check.
+
+## Usage
+
+To use the tool, execute the main script with the following command:
+
+```bash
+python util/prowler_check_kreator/prowler_check_kreator.py <prowler_provider> <check_name>
+```
+Parameters:
+
+- `<prowler_provider>`: Currently only AWS is supported.
+- `<check_name>`: The name you wish to assign to the new check.
+
+## AI integration
+
+This tool optionally integrates AI to assist in generating the check code and metadata file content. When AI assistance is chosen, the tool uses [Gemini](https://gemini.google.com/) to produce preliminary code and metadata.
+
+???+ note
+    For this feature to work, you must have the library `google-generativeai` installed in your Python environment.
+
+???+ warning
+    AI-generated code and metadata might contain errors or require adjustments to align with specific Prowler requirements. Carefully review all AI-generated content before committing.
+
+To enable AI assistance, simply confirm when prompted by the tool. Additionally, ensure that the `GEMINI_API_KEY` environment variable is set with a valid Gemini API key. For instructions on obtaining your API key, refer to the [Gemini documentation](https://ai.google.dev/gemini-api/docs/api-key).
@@ -142,7 +142,8 @@ The JSON-OCSF output format implements the [Detection Finding](https://schema.oc
        "desc": "Ensure CloudTrail is enabled in all regions",
        "product_uid": "prowler",
        "title": "Ensure CloudTrail is enabled in all regions",
-        "uid": "prowler-aws-cloudtrail_multi_region_enabled-123456789012-ap-northeast-1-123456789012"
+        "uid": "prowler-aws-cloudtrail_multi_region_enabled-123456789012-ap-northeast-1-123456789012",
+        "types": ["Software and Configuration Checks","Industry and Regulatory Standards","CIS AWS Foundations Benchmark"],
    },
    "resources": [
        {
@@ -189,11 +190,10 @@ The JSON-OCSF output format implements the [Detection Finding](https://schema.oc
    "type_uid": 200401,
    "type_name": "Create",
    "unmapped": {
-        "check_type": "Software and Configuration Checks,Industry and Regulatory Standards,CIS AWS Foundations Benchmark",
        "related_url": "",
-        "categories": "forensics-ready",
-        "depends_on": "",
-        "related_to": "",
+        "categories": ["forensics-ready"],
+        "depends_on": [],
+        "related_to": [],
        "notes": "",
        "compliance": {
            "CISA": [
@@ -336,7 +336,7 @@ The following is the mapping between the native JSON and the Detection Finding f
 | Provider | cloud.provider |
 | CheckID | metadata.event_code |
 | CheckTitle | finding_info.title |
-| CheckType | unmapped.check_type |
+| CheckType | finding_info.types |
 | ServiceName | resources.group.name |
 | SubServiceName | _Not mapped yet_ |
 | Status | status_code |
@@ -36,10 +36,11 @@ If EBS default encyption is not enabled, sensitive information at rest is not pr

  - `ec2_ebs_default_encryption`

-If your Security groups are not properly configured the attack surface is increased, nonetheless, Prowler will detect those security groups that are being used (they are attached) to only notify those that are being used. This logic applies to the 15 checks related to open ports in security groups and the check for the default security group.
+If your Security groups are not properly configured the attack surface is increased, nonetheless, Prowler will detect those security groups that are being used (they are attached) to only notify those that are being used. This logic applies to the 15 checks related to open ports in security groups, the check for the default security group and for the security groups that allow ingress and egress traffic.

  - `ec2_securitygroup_allow_ingress_from_internet_to_port_X` (15 checks)
  - `ec2_securitygroup_default_restrict_traffic`
+  - `ec2_securitygroup_allow_wide_open_public_ipv4`

 Prowler will also check for used Network ACLs to only alerts those with open ports that are being used.

@@ -65,6 +65,7 @@ nav:
      - Pentesting: tutorials/pentesting.md
      - Parallel Execution: tutorials/parallel-execution.md
      - Developer Guide: developer-guide/introduction.md
+      - Prowler Check Kreator: tutorials/prowler-check-kreator.md
      - AWS:
          - Authentication: tutorials/aws/authentication.md
          - Assume Role: tutorials/aws/role-assumption.md
@@ -87,6 +88,7 @@ nav:
      - Google Cloud:
          - Authentication: tutorials/gcp/authentication.md
          - Projects: tutorials/gcp/projects.md
+          - Organization: tutorials/gcp/organization.md
      - Kubernetes:
          - In-Cluster Execution: tutorials/kubernetes/in-cluster.md
          - Non In-Cluster Execution: tutorials/kubernetes/outside-cluster.md
@@ -58,32 +58,46 @@ Resources:
                - 'account:Get*'
                - 'appstream:Describe*'
                - 'appstream:List*'
+                - 'backup:List*'
+                - 'bedrock:List*'
+                - 'bedrock:Get*'
+                - 'cloudtrail:GetInsightSelectors'
                - 'codeartifact:List*'
                - 'codebuild:BatchGet*'
+                - 'codebuild:ListReportGroups'
                - 'cognito-idp:GetUserPoolMfaConfig'
                - 'dlm:Get*'
+                - 'drs:Describe*'
                - 'ds:Get*'
                - 'ds:Describe*'
                - 'ds:List*'
                - 'dynamodb:GetResourcePolicy'
                - 'ec2:GetEbsEncryptionByDefault'
+                - 'ec2:GetSnapshotBlockPublicAccessState'
                - 'ec2:GetInstanceMetadataDefaults'
                - 'ecr:Describe*'
+                - 'ecr:GetRegistryScanningConfiguration'
                - 'elasticfilesystem:DescribeBackupPolicy'
                - 'glue:GetConnections'
                - 'glue:GetSecurityConfiguration*'
                - 'glue:SearchTables'
                - 'lambda:GetFunction*'
+                - 'logs:FilterLogEvents'
                - 'lightsail:GetRelationalDatabases'
                - 'macie2:GetMacieSession'
+                - 'macie2:GetAutomatedDiscoveryConfiguration'
                - 's3:GetAccountPublicAccessBlock'
                - 'shield:DescribeProtection'
                - 'shield:GetSubscriptionState'
                - 'securityhub:BatchImportFindings'
                - 'securityhub:GetFindings'
+                - 'servicecatalog:Describe*'
+                - 'servicecatalog:List*'
                - 'ssm:GetDocument'
+                - 'ssm-incidents:List*'
                - 'support:Describe*'
                - 'tag:GetTagKeys'
+                - 'wellarchitected:List*'
              Resource: '*'
        - PolicyName: ProwlerScanRoleAdditionalViewPrivilegesApiGateway
          PolicyDocument:
@@ -7,9 +7,12 @@
        "appstream:Describe*",
        "appstream:List*",
        "backup:List*",
+        "bedrock:List*",
+        "bedrock:Get*",
        "cloudtrail:GetInsightSelectors",
        "codeartifact:List*",
        "codebuild:BatchGet*",
+        "codebuild:ListReportGroups",
        "cognito-idp:GetUserPoolMfaConfig",
        "dlm:Get*",
        "drs:Describe*",
@@ -18,6 +21,7 @@
        "ds:List*",
        "dynamodb:GetResourcePolicy",
        "ec2:GetEbsEncryptionByDefault",
+        "ec2:GetSnapshotBlockPublicAccessState",
        "ec2:GetInstanceMetadataDefaults",
        "ecr:Describe*",
        "ecr:GetRegistryScanningConfiguration",
@@ -29,11 +33,14 @@
        "logs:FilterLogEvents",
        "lightsail:GetRelationalDatabases",
        "macie2:GetMacieSession",
+        "macie2:GetAutomatedDiscoveryConfiguration",
        "s3:GetAccountPublicAccessBlock",
        "shield:DescribeProtection",
        "shield:GetSubscriptionState",
        "securityhub:BatchImportFindings",
        "securityhub:GetFindings",
+        "servicecatalog:Describe*",
+        "servicecatalog:List*",
        "ssm:GetDocument",
        "ssm-incidents:List*",
        "support:Describe*",
@@ -1,9 +1,9 @@
 {
  "properties": {
    "roleName": "ProwlerRole",
-    "description": "",
+    "description": "Role used for checks that require read-only access to Azure resources and are not covered by the Reader role.",
    "assignableScopes": [
-      "/providers/Microsoft.Management/managementGroups/<name_management_group> or /subscriptions/<subscription_id>"
+      "/"
    ],
    "permissions": [
      {
@@ -5,6 +5,7 @@ import sys
 from os import environ

 from colorama import Fore, Style
+from colorama import init as colorama_init

 from prowler.config.config import (
    csv_file_suffix,
@@ -15,8 +16,6 @@ from prowler.config.config import (
 )
 from prowler.lib.banner import print_banner
 from prowler.lib.check.check import (
-    bulk_load_checks_metadata,
-    bulk_load_compliance_frameworks,
    exclude_checks_to_run,
    exclude_services_to_run,
    execute_checks,
@@ -36,10 +35,12 @@ from prowler.lib.check.check import (
 )
 from prowler.lib.check.checks_loader import load_checks_to_execute
 from prowler.lib.check.compliance import update_checks_metadata_with_compliance
+from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.check.custom_checks_metadata import (
    parse_custom_checks_metadata_file,
    update_checks_metadata,
 )
+from prowler.lib.check.models import CheckMetadata
 from prowler.lib.cli.parser import ProwlerArgumentParser
 from prowler.lib.logger import logger, set_logging_config
 from prowler.lib.outputs.asff.asff import ASFF
@@ -52,8 +53,11 @@ from prowler.lib.outputs.compliance.cis.cis_gcp import GCPCIS
 from prowler.lib.outputs.compliance.cis.cis_kubernetes import KubernetesCIS
 from prowler.lib.outputs.compliance.compliance import display_compliance_table
 from prowler.lib.outputs.compliance.ens.ens_aws import AWSENS
+from prowler.lib.outputs.compliance.ens.ens_azure import AzureENS
+from prowler.lib.outputs.compliance.ens.ens_gcp import GCPENS
 from prowler.lib.outputs.compliance.generic.generic import GenericCompliance
 from prowler.lib.outputs.compliance.iso27001.iso27001_aws import AWSISO27001
+from prowler.lib.outputs.compliance.kisa_ismsp.kisa_ismsp_aws import AWSKISAISMSP
 from prowler.lib.outputs.compliance.mitre_attack.mitre_attack_aws import AWSMitreAttack
 from prowler.lib.outputs.compliance.mitre_attack.mitre_attack_azure import (
    AzureMitreAttack,
@@ -66,10 +70,14 @@ from prowler.lib.outputs.ocsf.ocsf import OCSF
 from prowler.lib.outputs.outputs import extract_findings_statistics
 from prowler.lib.outputs.slack.slack import Slack
 from prowler.lib.outputs.summary_table import display_summary_table
-from prowler.providers.aws.lib.s3.s3 import send_to_s3_bucket
+from prowler.providers.aws.lib.s3.s3 import S3
 from prowler.providers.aws.lib.security_hub.security_hub import SecurityHub
+from prowler.providers.aws.models import AWSOutputOptions
+from prowler.providers.azure.models import AzureOutputOptions
 from prowler.providers.common.provider import Provider
 from prowler.providers.common.quick_inventory import run_provider_quick_inventory
+from prowler.providers.gcp.models import GCPOutputOptions
+from prowler.providers.kubernetes.models import KubernetesOutputOptions


 def prowler():
@@ -107,6 +115,9 @@ def prowler():
        and not checks_folder
    )

+    if args.no_color:
+        colorama_init(strip=True)
+
    if not args.no_banner:
        legend = args.verbose or getattr(args, "fixer", None)
        print_banner(legend)
@@ -131,7 +142,7 @@ def prowler():

    # Load checks metadata
    logger.debug("Loading checks metadata from .metadata.json files")
-    bulk_checks_metadata = bulk_load_checks_metadata(provider)
+    bulk_checks_metadata = CheckMetadata.get_bulk(provider)

    if args.list_categories:
        print_categories(list_categories(bulk_checks_metadata))
@@ -141,7 +152,7 @@ def prowler():
    # Load compliance frameworks
    logger.debug("Loading compliance frameworks from .json files")

-    bulk_compliance_frameworks = bulk_load_compliance_frameworks(provider)
+    bulk_compliance_frameworks = Compliance.get_bulk(provider)
    # Complete checks metadata with the compliance framework specification
    bulk_checks_metadata = update_checks_metadata_with_compliance(
        bulk_compliance_frameworks, bulk_checks_metadata
@@ -168,15 +179,15 @@ def prowler():

    # Load checks to execute
    checks_to_execute = load_checks_to_execute(
-        bulk_checks_metadata,
-        bulk_compliance_frameworks,
-        checks_file,
-        checks,
-        services,
-        severities,
-        compliance_framework,
-        categories,
-        provider,
+        bulk_checks_metadata=bulk_checks_metadata,
+        bulk_compliance_frameworks=bulk_compliance_frameworks,
+        checks_file=checks_file,
+        check_list=checks,
+        service_list=services,
+        severities=severities,
+        compliance_frameworks=compliance_framework,
+        categories=categories,
+        provider=provider,
    )

    # if --list-checks-json, dump a json file and exit
@@ -190,7 +201,7 @@ def prowler():
        sys.exit()

    # Provider to scan
-    Provider.set_global_provider(args)
+    Provider.init_global_provider(args)
    global_provider = Provider.get_global_provider()

    # Print Provider Credentials
@@ -224,17 +235,30 @@ def prowler():
    # Once the provider is set and we have the eventual checks based on the resource identifier,
    # it is time to check what Prowler's checks are going to be executed
    checks_from_resources = global_provider.get_checks_to_execute_by_audit_resources()
-    if checks_from_resources:
+    # Intersect checks from resources with checks to execute so we only run the checks that apply to the resources with the specified ARNs or tags
+    if getattr(args, "resource_arn", None) or getattr(args, "resource_tag", None):
        checks_to_execute = checks_to_execute.intersection(checks_from_resources)

    # Sort final check list
    checks_to_execute = sorted(checks_to_execute)

-    # Setup Mutelist
-    global_provider.mutelist = args.mutelist_file
-
    # Setup Output Options
-    global_provider.output_options = (args, bulk_checks_metadata)
+    if provider == "aws":
+        output_options = AWSOutputOptions(
+            args, bulk_checks_metadata, global_provider.identity
+        )
+    elif provider == "azure":
+        output_options = AzureOutputOptions(
+            args, bulk_checks_metadata, global_provider.identity
+        )
+    elif provider == "gcp":
+        output_options = GCPOutputOptions(
+            args, bulk_checks_metadata, global_provider.identity
+        )
+    elif provider == "kubernetes":
+        output_options = KubernetesOutputOptions(
+            args, bulk_checks_metadata, global_provider.identity
+        )

    # Run the quick inventory for the provider if available
    if hasattr(args, "quick_inventory") and args.quick_inventory:
@@ -250,6 +274,7 @@ def prowler():
            global_provider,
            custom_checks_metadata,
            args.config_file,
+            output_options,
        )
    else:
        logger.error(
@@ -257,7 +282,7 @@ def prowler():
        )

    # Prowler Fixer
-    if global_provider.output_options.fixer:
+    if output_options.fixer:
        print(f"{Style.BRIGHT}\nRunning Prowler Fixer, please wait...{Style.RESET_ALL}")
        # Check if there are any FAIL findings
        if any("FAIL" in finding.status for finding in findings):
@@ -303,14 +328,17 @@ def prowler():
    # TODO: this part is needed since the checks generates a Check_Report_XXX and the output uses Finding
    # This will be refactored for the outputs generate directly the Finding
    finding_outputs = [
-        Finding.generate_output(global_provider, finding) for finding in findings
+        Finding.generate_output(global_provider, finding, output_options)
+        for finding in findings
    ]

+    generated_outputs = {"regular": [], "compliance": []}
+
    if args.output_formats:
        for mode in args.output_formats:
            filename = (
-                f"{global_provider.output_options.output_directory}/"
-                f"{global_provider.output_options.output_filename}"
+                f"{output_options.output_directory}/"
+                f"{output_options.output_filename}"
            )
            if mode == "csv":
                csv_output = CSV(
@@ -318,6 +346,7 @@ def prowler():
                    create_file_descriptor=True,
                    file_path=f"{filename}{csv_file_suffix}",
                )
+                generated_outputs["regular"].append(csv_output)
                # Write CSV Finding Object to file
                csv_output.batch_write_data_to_file()

@@ -327,6 +356,7 @@ def prowler():
                    create_file_descriptor=True,
                    file_path=f"{filename}{json_asff_file_suffix}",
                )
+                generated_outputs["regular"].append(asff_output)
                # Write ASFF Finding Object to file
                asff_output.batch_write_data_to_file()

@@ -336,6 +366,7 @@ def prowler():
                    create_file_descriptor=True,
                    file_path=f"{filename}{json_ocsf_file_suffix}",
                )
+                generated_outputs["regular"].append(json_output)
                json_output.batch_write_data_to_file()
            if mode == "html":
                html_output = HTML(
@@ -343,103 +374,105 @@ def prowler():
                    create_file_descriptor=True,
                    file_path=f"{filename}{html_file_suffix}",
                )
+                generated_outputs["regular"].append(html_output)
                html_output.batch_write_data_to_file(
                    provider=global_provider, stats=stats
                )

-            # Send output to S3 if needed (-B / -D)
-            if provider == "aws" and (
-                args.output_bucket or args.output_bucket_no_assume
-            ):
-                output_bucket = args.output_bucket
-                bucket_session = global_provider.session.current_session
-                # Check if -D was input
-                if args.output_bucket_no_assume:
-                    output_bucket = args.output_bucket_no_assume
-                    bucket_session = global_provider.session.original_session
-                send_to_s3_bucket(
-                    global_provider.output_options.output_filename,
-                    args.output_directory,
-                    mode,
-                    output_bucket,
-                    bucket_session,
-                )
-
    # Compliance Frameworks
-    input_compliance_frameworks = set(
-        global_provider.output_options.output_modes
-    ).intersection(get_available_compliance_frameworks(provider))
+    input_compliance_frameworks = set(output_options.output_modes).intersection(
+        get_available_compliance_frameworks(provider)
+    )
    if provider == "aws":
        for compliance_name in input_compliance_frameworks:
            if compliance_name.startswith("cis_"):
                # Generate CIS Finding Object
                filename = (
-                    f"{global_provider.output_options.output_directory}/compliance/"
-                    f"{global_provider.output_options.output_filename}_{compliance_name}.csv"
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
                )
-                cis_finding = AWSCIS(
+                cis = AWSCIS(
                    findings=finding_outputs,
                    compliance=bulk_compliance_frameworks[compliance_name],
                    create_file_descriptor=True,
                    file_path=filename,
                )
-                cis_finding.batch_write_data_to_file()
+                generated_outputs["compliance"].append(cis)
+                cis.batch_write_data_to_file()
            elif compliance_name == "mitre_attack_aws":
                # Generate MITRE ATT&CK Finding Object
                filename = (
-                    f"{global_provider.output_options.output_directory}/compliance/"
-                    f"{global_provider.output_options.output_filename}_{compliance_name}.csv"
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
                )
-                mitre_attack_finding = AWSMitreAttack(
+                mitre_attack = AWSMitreAttack(
                    findings=finding_outputs,
                    compliance=bulk_compliance_frameworks[compliance_name],
                    create_file_descriptor=True,
                    file_path=filename,
                )
-                mitre_attack_finding.batch_write_data_to_file()
+                generated_outputs["compliance"].append(mitre_attack)
+                mitre_attack.batch_write_data_to_file()
            elif compliance_name.startswith("ens_"):
                # Generate ENS Finding Object
                filename = (
-                    f"{global_provider.output_options.output_directory}/compliance/"
-                    f"{global_provider.output_options.output_filename}_{compliance_name}.csv"
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
                )
-                ens_finding = AWSENS(
+                ens = AWSENS(
                    findings=finding_outputs,
                    compliance=bulk_compliance_frameworks[compliance_name],
                    create_file_descriptor=True,
                    file_path=filename,
                )
-                ens_finding.batch_write_data_to_file()
+                generated_outputs["compliance"].append(ens)
+                ens.batch_write_data_to_file()
            elif compliance_name.startswith("aws_well_architected_framework"):
                # Generate AWS Well-Architected Finding Object
                filename = (
-                    f"{global_provider.output_options.output_directory}/compliance/"
-                    f"{global_provider.output_options.output_filename}_{compliance_name}.csv"
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
                )
-                aws_well_architected_finding = AWSWellArchitected(
+                aws_well_architected = AWSWellArchitected(
                    findings=finding_outputs,
                    compliance=bulk_compliance_frameworks[compliance_name],
                    create_file_descriptor=True,
                    file_path=filename,
                )
-                aws_well_architected_finding.batch_write_data_to_file()
+                generated_outputs["compliance"].append(aws_well_architected)
+                aws_well_architected.batch_write_data_to_file()
            elif compliance_name.startswith("iso27001_"):
                # Generate ISO27001 Finding Object
                filename = (
-                    f"{global_provider.output_options.output_directory}/compliance/"
-                    f"{global_provider.output_options.output_filename}_{compliance_name}.csv"
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
                )
-                iso27001_finding = AWSISO27001(
+                iso27001 = AWSISO27001(
                    findings=finding_outputs,
                    compliance=bulk_compliance_frameworks[compliance_name],
                    create_file_descriptor=True,
                    file_path=filename,
                )
-                iso27001_finding.batch_write_data_to_file()
+                generated_outputs["compliance"].append(iso27001)
+                iso27001.batch_write_data_to_file()
+            elif compliance_name.startswith("kisa"):
+                # Generate KISA-ISMS-P Finding Object
+                filename = (
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
+                )
+                kisa_ismsp = AWSKISAISMSP(
+                    findings=finding_outputs,
+                    compliance=bulk_compliance_frameworks[compliance_name],
+                    create_file_descriptor=True,
+                    file_path=filename,
+                )
+                generated_outputs["compliance"].append(kisa_ismsp)
+                kisa_ismsp.batch_write_data_to_file()
            else:
                filename = (
-                    f"{global_provider.output_options.output_directory}/compliance/"
-                    f"{global_provider.output_options.output_filename}_{compliance_name}.csv"
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
                )
                generic_compliance = GenericCompliance(
                    findings=finding_outputs,
@@ -447,6 +480,7 @@ def prowler():
                    create_file_descriptor=True,
                    file_path=filename,
                )
+                generated_outputs["compliance"].append(generic_compliance)
                generic_compliance.batch_write_data_to_file()

    elif provider == "azure":
@@ -454,33 +488,49 @@ def prowler():
            if compliance_name.startswith("cis_"):
                # Generate CIS Finding Object
                filename = (
-                    f"{global_provider.output_options.output_directory}/compliance/"
-                    f"{global_provider.output_options.output_filename}_{compliance_name}.csv"
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
                )
-                cis_finding = AzureCIS(
+                cis = AzureCIS(
                    findings=finding_outputs,
                    compliance=bulk_compliance_frameworks[compliance_name],
                    create_file_descriptor=True,
                    file_path=filename,
                )
-                cis_finding.batch_write_data_to_file()
+                generated_outputs["compliance"].append(cis)
+                cis.batch_write_data_to_file()
            elif compliance_name == "mitre_attack_azure":
                # Generate MITRE ATT&CK Finding Object
                filename = (
-                    f"{global_provider.output_options.output_directory}/compliance/"
-                    f"{global_provider.output_options.output_filename}_{compliance_name}.csv"
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
                )
-                mitre_attack_finding = AzureMitreAttack(
+                mitre_attack = AzureMitreAttack(
                    findings=finding_outputs,
                    compliance=bulk_compliance_frameworks[compliance_name],
                    create_file_descriptor=True,
                    file_path=filename,
                )
-                mitre_attack_finding.batch_write_data_to_file()
+                generated_outputs["compliance"].append(mitre_attack)
+                mitre_attack.batch_write_data_to_file()
+            elif compliance_name.startswith("ens_"):
+                # Generate ENS Finding Object
+                filename = (
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
+                )
+                ens = AzureENS(
+                    findings=finding_outputs,
+                    compliance=bulk_compliance_frameworks[compliance_name],
+                    create_file_descriptor=True,
+                    file_path=filename,
+                )
+                generated_outputs["compliance"].append(ens)
+                ens.batch_write_data_to_file()
            else:
                filename = (
-                    f"{global_provider.output_options.output_directory}/compliance/"
-                    f"{global_provider.output_options.output_filename}_{compliance_name}.csv"
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
                )
                generic_compliance = GenericCompliance(
                    findings=finding_outputs,
@@ -488,6 +538,7 @@ def prowler():
                    create_file_descriptor=True,
                    file_path=filename,
                )
+                generated_outputs["compliance"].append(generic_compliance)
                generic_compliance.batch_write_data_to_file()

    elif provider == "gcp":
@@ -495,33 +546,49 @@ def prowler():
            if compliance_name.startswith("cis_"):
                # Generate CIS Finding Object
                filename = (
-                    f"{global_provider.output_options.output_directory}/compliance/"
-                    f"{global_provider.output_options.output_filename}_{compliance_name}.csv"
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
                )
-                cis_finding = GCPCIS(
+                cis = GCPCIS(
                    findings=finding_outputs,
                    compliance=bulk_compliance_frameworks[compliance_name],
                    create_file_descriptor=True,
                    file_path=filename,
                )
-                cis_finding.batch_write_data_to_file()
+                generated_outputs["compliance"].append(cis)
+                cis.batch_write_data_to_file()
            elif compliance_name == "mitre_attack_gcp":
                # Generate MITRE ATT&CK Finding Object
                filename = (
-                    f"{global_provider.output_options.output_directory}/compliance/"
-                    f"{global_provider.output_options.output_filename}_{compliance_name}.csv"
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
                )
-                mitre_attack_finding = GCPMitreAttack(
+                mitre_attack = GCPMitreAttack(
                    findings=finding_outputs,
                    compliance=bulk_compliance_frameworks[compliance_name],
                    create_file_descriptor=True,
                    file_path=filename,
                )
-                mitre_attack_finding.batch_write_data_to_file()
+                generated_outputs["compliance"].append(mitre_attack)
+                mitre_attack.batch_write_data_to_file()
+            elif compliance_name.startswith("ens_"):
+                # Generate ENS Finding Object
+                filename = (
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
+                )
+                ens = GCPENS(
+                    findings=finding_outputs,
+                    compliance=bulk_compliance_frameworks[compliance_name],
+                    create_file_descriptor=True,
+                    file_path=filename,
+                )
+                generated_outputs["compliance"].append(ens)
+                ens.batch_write_data_to_file()
            else:
                filename = (
-                    f"{global_provider.output_options.output_directory}/compliance/"
-                    f"{global_provider.output_options.output_filename}_{compliance_name}.csv"
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
                )
                generic_compliance = GenericCompliance(
                    findings=finding_outputs,
@@ -529,6 +596,7 @@ def prowler():
                    create_file_descriptor=True,
                    file_path=filename,
                )
+                generated_outputs["compliance"].append(generic_compliance)
                generic_compliance.batch_write_data_to_file()

    elif provider == "kubernetes":
@@ -536,20 +604,21 @@ def prowler():
            if compliance_name.startswith("cis_"):
                # Generate CIS Finding Object
                filename = (
-                    f"{global_provider.output_options.output_directory}/compliance/"
-                    f"{global_provider.output_options.output_filename}_{compliance_name}.csv"
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
                )
-                cis_finding = KubernetesCIS(
+                cis = KubernetesCIS(
                    findings=finding_outputs,
                    compliance=bulk_compliance_frameworks[compliance_name],
                    create_file_descriptor=True,
                    file_path=filename,
                )
-                cis_finding.batch_write_data_to_file()
+                generated_outputs["compliance"].append(cis)
+                cis.batch_write_data_to_file()
            else:
                filename = (
-                    f"{global_provider.output_options.output_directory}/compliance/"
-                    f"{global_provider.output_options.output_filename}_{compliance_name}.csv"
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
                )
                generic_compliance = GenericCompliance(
                    findings=finding_outputs,
@@ -557,51 +626,72 @@ def prowler():
                    create_file_descriptor=True,
                    file_path=filename,
                )
+                generated_outputs["compliance"].append(generic_compliance)
                generic_compliance.batch_write_data_to_file()

    # AWS Security Hub Integration
-    if provider == "aws" and args.security_hub:
-        print(
-            f"{Style.BRIGHT}\nSending findings to AWS Security Hub, please wait...{Style.RESET_ALL}"
-        )
-
-        security_hub_regions = (
-            global_provider.get_available_aws_service_regions("securityhub")
-            if not global_provider.identity.audited_regions
-            else global_provider.identity.audited_regions
-        )
-
-        security_hub = SecurityHub(
-            aws_account_id=global_provider.identity.account,
-            aws_partition=global_provider.identity.partition,
-            aws_session=global_provider.session.current_session,
-            findings=asff_output.data,
-            status=global_provider.output_options.status,
-            send_only_fails=global_provider.output_options.send_sh_only_fails,
-            aws_security_hub_available_regions=security_hub_regions,
-        )
-        # Send the findings to Security Hub
-        findings_sent_to_security_hub = security_hub.batch_send_to_security_hub()
-        print(
-            f"{Style.BRIGHT}{Fore.GREEN}\n{findings_sent_to_security_hub} findings sent to AWS Security Hub!{Style.RESET_ALL}"
-        )
-
-        # Resolve previous fails of Security Hub
-        if not args.skip_sh_update:
-            print(
-                f"{Style.BRIGHT}\nArchiving previous findings in AWS Security Hub, please wait...{Style.RESET_ALL}"
+    if provider == "aws":
+        # Send output to S3 if needed (-B / -D) for all the output formats
+        if args.output_bucket or args.output_bucket_no_assume:
+            output_bucket = args.output_bucket
+            bucket_session = global_provider.session.current_session
+            # Check if -D was input
+            if args.output_bucket_no_assume:
+                output_bucket = args.output_bucket_no_assume
+                bucket_session = global_provider.session.original_session
+            s3 = S3(
+                session=bucket_session,
+                bucket_name=output_bucket,
+                output_directory=args.output_directory,
            )
-            findings_archived_in_security_hub = security_hub.archive_previous_findings()
+            s3.send_to_bucket(generated_outputs)
+        if args.security_hub:
            print(
-                f"{Style.BRIGHT}{Fore.GREEN}\n{findings_archived_in_security_hub} findings archived in AWS Security Hub!{Style.RESET_ALL}"
+                f"{Style.BRIGHT}\nSending findings to AWS Security Hub, please wait...{Style.RESET_ALL}"
            )

+            security_hub_regions = (
+                global_provider.get_available_aws_service_regions(
+                    "securityhub",
+                    global_provider.identity.partition,
+                    global_provider.identity.audited_regions,
+                )
+                if not global_provider.identity.audited_regions
+                else global_provider.identity.audited_regions
+            )
+
+            security_hub = SecurityHub(
+                aws_account_id=global_provider.identity.account,
+                aws_partition=global_provider.identity.partition,
+                aws_session=global_provider.session.current_session,
+                findings=asff_output.data,
+                send_only_fails=output_options.send_sh_only_fails,
+                aws_security_hub_available_regions=security_hub_regions,
+            )
+            # Send the findings to Security Hub
+            findings_sent_to_security_hub = security_hub.batch_send_to_security_hub()
+            print(
+                f"{Style.BRIGHT}{Fore.GREEN}\n{findings_sent_to_security_hub} findings sent to AWS Security Hub!{Style.RESET_ALL}"
+            )
+
+            # Resolve previous fails of Security Hub
+            if not args.skip_sh_update:
+                print(
+                    f"{Style.BRIGHT}\nArchiving previous findings in AWS Security Hub, please wait...{Style.RESET_ALL}"
+                )
+                findings_archived_in_security_hub = (
+                    security_hub.archive_previous_findings()
+                )
+                print(
+                    f"{Style.BRIGHT}{Fore.GREEN}\n{findings_archived_in_security_hub} findings archived in AWS Security Hub!{Style.RESET_ALL}"
+                )
+
    # Display summary table
    if not args.only_logs:
        display_summary_table(
            findings,
            global_provider,
-            global_provider.output_options,
+            output_options,
        )
        # Only display compliance table if there are findings (not all MANUAL) and it is a default execution
        if (
@@ -620,13 +710,13 @@ def prowler():
                    findings,
                    bulk_checks_metadata,
                    compliance,
-                    global_provider.output_options.output_filename,
-                    global_provider.output_options.output_directory,
+                    output_options.output_filename,
+                    output_options.output_directory,
                    compliance_overview,
                )
            if compliance_overview:
                print(
-                    f"\nDetailed compliance results are in {Fore.YELLOW}{global_provider.output_options.output_directory}/compliance/{Style.RESET_ALL}\n"
+                    f"\nDetailed compliance results are in {Fore.YELLOW}{output_options.output_directory}/compliance/{Style.RESET_ALL}\n"
                )

    # If custom checks were passed, remove the modules
@@ -557,7 +557,7 @@
        }
      ],
      "Checks": [
-        "inspector2_findings_exist"
+        "inspector2_is_enabled"
      ]
    },
    {
@@ -587,7 +587,8 @@
        }
      ],
      "Checks": [
-        "inspector2_findings_exist",
+        "inspector2_active_findings_exist",
+        "inspector2_is_enabled",
        "ecr_registry_scan_images_on_push_enabled",
        "ecr_repositories_scan_vulnerabilities_in_latest_image",
        "ecr_repositories_scan_images_on_push_enabled"
@@ -28,7 +28,9 @@
          "Service": "ebs"
        }
      ],
-      "Checks": []
+      "Checks": [
+        "ec2_ebs_volume_snapshots_exists"
+      ]
    },
    {
      "Id": "1.0.3",
@@ -42,7 +44,8 @@
        }
      ],
      "Checks": [
-        "ec2_ebs_default_encryption"
+        "ec2_ebs_default_encryption",
+        "ec2_ebs_volume_encryption"
      ]
    },
    {
@@ -87,7 +90,9 @@
        }
      ],
      "Checks": [
-        "iam_user_mfa_enabled_console_access"
+        "iam_user_mfa_enabled_console_access",
+        "iam_user_hardware_mfa_enabled",
+        "iam_root_mfa_enabled"
      ]
    },
    {
@@ -102,7 +107,9 @@
        }
      ],
      "Checks": [
-        "iam_user_mfa_enabled_console_access"
+        "iam_user_mfa_enabled_console_access",
+        "iam_user_hardware_mfa_enabled",
+        "iam_root_mfa_enabled"
      ]
    },
    {
@@ -117,7 +124,9 @@
        }
      ],
      "Checks": [
-        "iam_root_mfa_enabled"
+        "iam_root_mfa_enabled",
+        "iam_root_hardware_mfa_enabled",
+        "iam_user_mfa_enabled_console_access"
      ]
    },
    {
@@ -162,7 +171,10 @@
        }
      ],
      "Checks": [
-        "rds_instance_no_public_access"
+        "rds_instance_no_public_access",
+        "s3_bucket_public_access",
+        "s3_bucket_public_list_acl",
+        "s3_account_level_public_access_blocks"
      ]
    },
    {
@@ -192,7 +204,8 @@
        }
      ],
      "Checks": [
-        "rds_instance_storage_encrypted"
+        "rds_instance_storage_encrypted",
+        "rds_instance_transport_encrypted"
      ]
    },
    {
@@ -485,7 +485,7 @@
        "codeartifact_packages_external_public_publishing_disabled",
        "ecr_repositories_not_publicly_accessible",
        "efs_not_publicly_accessible",
-        "eks_endpoints_not_publicly_accessible",
+        "eks_cluster_not_publicly_accessible",
        "elb_internet_facing",
        "elbv2_internet_facing",
        "s3_account_level_public_access_blocks",
@@ -664,7 +664,7 @@
        "awslambda_function_not_publicly_accessible",
        "apigateway_restapi_waf_acl_attached",
        "cloudfront_distributions_using_waf",
-        "eks_control_plane_endpoint_access_restricted",
+        "eks_cluster_not_publicly_accessible",
        "sagemaker_models_network_isolation_enabled",
        "sagemaker_models_vpc_settings_configured",
        "sagemaker_notebook_instance_vpc_settings_configured",
@@ -455,7 +455,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.",
@@ -476,7 +477,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.",
@@ -497,7 +499,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.",
@@ -518,7 +521,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.",
@@ -540,7 +544,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.",
@@ -561,7 +566,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.2. Elastic Compute Cloud (EC2)",
+          "Section": "2. Storage",
+          "SubSection": "2.2. Elastic Compute Cloud (EC2)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.",
@@ -578,11 +584,13 @@
      "Id": "2.3.1",
      "Description": "Ensure that encryption is enabled for RDS Instances",
      "Checks": [
-        "rds_instance_storage_encrypted"
+        "rds_instance_storage_encrypted",
+        "rds_instance_transport_encrypted"
      ],
      "Attributes": [
        {
-          "Section": "2.3. Relational Database Service (RDS)",
+          "Section": "2. Storage",
+          "SubSection": "2.3. Relational Database Service (RDS)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.",
@@ -455,7 +455,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.",
@@ -476,7 +477,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.",
@@ -497,7 +499,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.",
@@ -518,7 +521,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.",
@@ -540,7 +544,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.",
@@ -561,7 +566,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.2. Elastic Compute Cloud (EC2)",
+          "Section": "2. Storage",
+          "SubSection": "2.2. Elastic Compute Cloud (EC2)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.",
@@ -578,11 +584,13 @@
      "Id": "2.3.1",
      "Description": "Ensure that encryption is enabled for RDS Instances",
      "Checks": [
-        "rds_instance_storage_encrypted"
+        "rds_instance_storage_encrypted",
+        "rds_instance_transport_encrypted"
      ],
      "Attributes": [
        {
-          "Section": "2.3. Relational Database Service (RDS)",
+          "Section": "2. Storage",
+          "SubSection": "2.3. Relational Database Service (RDS)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.",
@@ -603,7 +611,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.3. Relational Database Service (RDS)",
+          "Section": "2. Storage",
+          "SubSection": "2.3. Relational Database Service (RDS)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.",
@@ -624,7 +633,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.3. Relational Database Service (RDS)",
+          "Section": "2. Storage",
+          "SubSection": "2.3. Relational Database Service (RDS)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.",
@@ -645,7 +655,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.4 Relational Database Service (RDS)",
+          "Section": "2. Storage",
+          "SubSection": "2.4 Elastic File System (EFS)",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "EFS data should be encrypted at rest using AWS KMS (Key Management Service).",
@@ -303,7 +303,9 @@
    {
      "Id": "1.22",
      "Description": "Ensure access to AWSCloudShellFullAccess is restricted",
-      "Checks": [],
+      "Checks": [
+        "iam_policy_cloudshell_admin_not_attached"
+      ],
      "Attributes": [
        {
          "Section": "1. Identity and Access Management",
@@ -474,7 +476,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.",
@@ -491,11 +494,13 @@
      "Id": "2.1.2",
      "Description": "Ensure MFA Delete is enabled on S3 buckets",
      "Checks": [
-        "s3_bucket_no_mfa_delete"
+        "s3_bucket_no_mfa_delete",
+        "cloudtrail_bucket_requires_mfa_delete"
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.",
@@ -516,7 +521,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.",
@@ -538,7 +544,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.",
@@ -559,7 +566,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.2. Elastic Compute Cloud (EC2)",
+          "Section": "2. Storage",
+          "SubSection": "2.2. Elastic Compute Cloud (EC2)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.",
@@ -576,11 +584,13 @@
      "Id": "2.3.1",
      "Description": "Ensure that encryption is enabled for RDS Instances",
      "Checks": [
-        "rds_instance_storage_encrypted"
+        "rds_instance_storage_encrypted",
+        "rds_instance_transport_encrypted"
      ],
      "Attributes": [
        {
-          "Section": "2.3. Relational Database Service (RDS)",
+          "Section": "2. Storage",
+          "SubSection": "2.3. Relational Database Service (RDS)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.",
@@ -601,7 +611,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.3. Relational Database Service (RDS)",
+          "Section": "2. Storage",
+          "SubSection": "2.3. Relational Database Service (RDS)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.",
@@ -622,7 +633,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.3. Relational Database Service (RDS)",
+          "Section": "2. Storage",
+          "SubSection": "2.3. Relational Database Service (RDS)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.",
@@ -643,7 +655,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.4 Relational Database Service (RDS)",
+          "Section": "2. Storage",
+          "SubSection": "2.4 Elastic File System (EFS)",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "EFS data should be encrypted at rest using AWS KMS (Key Management Service).",
@@ -1338,7 +1351,8 @@
      "Id": "5.6",
      "Description": "Ensure that EC2 Metadata Service only allows IMDSv2",
      "Checks": [
-        "ec2_instance_imdsv2_enabled"
+        "ec2_instance_imdsv2_enabled",
+        "ec2_instance_account_imdsv2_enabled"
      ],
      "Attributes": [
        {
@@ -474,7 +474,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.",
@@ -495,7 +496,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.",
@@ -516,7 +518,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.",
@@ -538,7 +541,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1. Simple Storage Service (S3)",
+          "Section": "2. Storage",
+          "SubSection": "2.1. Simple Storage Service (S3)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.",
@@ -559,7 +563,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.2. Elastic Compute Cloud (EC2)",
+          "Section": "2. Storage",
+          "SubSection": "2.2. Elastic Compute Cloud (EC2)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.",
@@ -580,7 +585,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.3. Relational Database Service (RDS)",
+          "Section": "2. Storage",
+          "SubSection": "2.3. Relational Database Service (RDS)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.",
@@ -601,7 +607,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.3. Relational Database Service (RDS)",
+          "Section": "2. Storage",
+          "SubSection": "2.3. Relational Database Service (RDS)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.",
@@ -622,7 +629,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.3. Relational Database Service (RDS)",
+          "Section": "2. Storage",
+          "SubSection": "2.3. Relational Database Service (RDS)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to anypublicly accessible RDS database instance, you must disable the database PubliclyAccessible flag and update the VPC security group associated with the instance",
@@ -643,7 +651,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.4 Relational Database Service (RDS)",
+          "Section": "2. Storage",
+          "SubSection": "2.4 Elastic File System (EFS)",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "EFS data should be encrypted at rest using AWS KMS (Key Management Service).",
@@ -19,7 +19,7 @@
        "ec2_ebs_public_snapshot",
        "ec2_instance_profile_attached",
        "ec2_instance_public_ip",
-        "eks_endpoints_not_publicly_accessible",
+        "eks_cluster_not_publicly_accessible",
        "emr_cluster_master_nodes_no_public_ip",
        "iam_aws_attached_policy_no_administrative_privileges",
        "iam_customer_attached_policy_no_administrative_privileges",
@@ -61,7 +61,7 @@
        "ec2_ebs_public_snapshot",
        "ec2_instance_profile_attached",
        "ec2_instance_public_ip",
-        "eks_endpoints_not_publicly_accessible",
+        "eks_cluster_not_publicly_accessible",
        "emr_cluster_master_nodes_no_public_ip",
        "iam_aws_attached_policy_no_administrative_privileges",
        "iam_customer_attached_policy_no_administrative_privileges",
@@ -102,7 +102,7 @@
      "Checks": [
        "ec2_ebs_public_snapshot",
        "ec2_instance_public_ip",
-        "eks_endpoints_not_publicly_accessible",
+        "eks_cluster_not_publicly_accessible",
        "emr_cluster_master_nodes_no_public_ip",
        "awslambda_function_not_publicly_accessible",
        "awslambda_function_url_public",
@@ -971,7 +971,7 @@
      "Checks": [
        "ec2_ebs_public_snapshot",
        "ec2_instance_public_ip",
-        "eks_endpoints_not_publicly_accessible",
+        "eks_cluster_not_publicly_accessible",
        "emr_cluster_master_nodes_no_public_ip",
        "awslambda_function_url_public",
        "rds_instance_no_public_access",
@@ -12,7 +12,8 @@
      ],
      "Attributes": [
        {
-          "Section": "1.1 Security Defaults",
+          "Section": "1. Identity and Access Management",
+          "SubSection": "1.1 Security Defaults",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security",
@@ -34,7 +35,8 @@
      ],
      "Attributes": [
        {
-          "Section": "1.1 Security Defaults",
+          "Section": "1. Identity and Access Management",
+          "SubSection": "1.1 Security Defaults",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as; • Service Co-Administrators • Subscription Owners • Contributors",
@@ -56,7 +58,8 @@
      ],
      "Attributes": [
        {
-          "Section": "1.1 Security Defaults",
+          "Section": "1. Identity and Access Management",
+          "SubSection": "1.1 Security Defaults",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Enable multi-factor authentication for all non-privileged users.",
@@ -76,7 +79,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.1 Security Defaults",
+          "Section": "1. Identity and Access Management",
+          "SubSection": "1.1 Security Defaults",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Do not allow users to remember multi-factor authentication on devices.",
@@ -98,7 +102,8 @@
      ],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
+          "SubSection": "1.2 Conditional Access",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Azure Active Directory Conditional Access allows an organization to configure Named locations and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization.",
@@ -118,7 +123,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
+          "SubSection": "1.2 Conditional Access",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "CAUTION: If these policies are created without first auditing and testing the result, misconfiguration can potentially lock out administrators or create undesired access issues. Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined.",
@@ -138,7 +144,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
+          "SubSection": "1.2 Conditional Access",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.",
@@ -158,7 +165,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
+          "SubSection": "1.2 Conditional Access",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.",
@@ -178,7 +186,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
+          "SubSection": "1.2 Conditional Access",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.",
@@ -198,7 +207,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
+          "SubSection": "1.2 Conditional Access",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.",
@@ -220,7 +230,7 @@
      ],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Require administrators or appropriately delegated users to create new tenants.",
@@ -240,7 +250,7 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "This recommendation extends guest access review by utilizing the Azure AD Privileged Identity Management feature provided in Azure AD Premium P2. Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources a a guest user.",
@@ -260,7 +270,7 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user. Guest users in every subscription should be review on a regular basis to ensure that inactive and unneeded accounts are removed.",
@@ -280,7 +290,7 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Ensures that two alternate forms of identification are provided before allowing a password reset.",
@@ -300,7 +310,7 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Microsoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Azure AD Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy.",
@@ -320,7 +330,7 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.",
@@ -340,7 +350,7 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Ensure that users are notified on their primary and secondary emails on password resets.",
@@ -360,7 +370,7 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Ensure that all Global Administrators are notified if any other administrator resets their password.",
@@ -382,7 +392,7 @@
      ],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Require administrators to provide consent for applications before use.",
@@ -404,7 +414,7 @@
      ],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Allow users to provide consent for selected permissions when a request is coming from a verified publisher.",
@@ -424,7 +434,7 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Require administrators to provide consent for the apps before use.",
@@ -446,7 +456,7 @@
      ],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Require administrators or appropriately delegated users to register third-party applications.",
@@ -468,7 +478,7 @@
      ],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Limit guest user permissions.",
@@ -490,7 +500,7 @@
      ],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Restrict invitations to users with specific administrative roles only.",
@@ -510,7 +520,7 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Restrict access to the Azure AD administration portal to administrators only. NOTE: This only affects access to the Azure AD administrator's web portal. This setting does not prohibit privileged users from using other methods such as Rest API or Powershell to obtain sensitive information from Azure AD.",
@@ -530,7 +540,7 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Restricts group creation to administrators with permissions only.",
@@ -552,7 +562,7 @@
      ],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Restrict security group creation to administrators only.",
@@ -572,7 +582,7 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Restrict security group management to administrators only.",
@@ -594,7 +604,7 @@
      ],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Restrict Microsoft 365 group creation to administrators only.",
@@ -614,7 +624,7 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Joining or registering devices to the active directory should require Multi-factor authentication.",
@@ -636,7 +646,7 @@
      ],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.",
@@ -658,7 +668,7 @@
      ],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.",
@@ -678,7 +688,7 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1. Identity and Access Management",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Azure Active Directories.",
@@ -700,7 +710,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
@@ -722,7 +733,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
@@ -744,7 +756,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases.",
@@ -766,7 +779,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Turning on Microsoft Defender for Azure SQL Databases  enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, andbehavior analytics in the Microsoft Defender for Cloud.",
@@ -788,7 +802,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
@@ -810,7 +825,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
@@ -832,7 +848,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
@@ -854,7 +871,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
@@ -876,7 +894,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources.",
@@ -898,7 +917,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
@@ -920,7 +940,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Microsoft Defender for DNS scans all network traffic exiting from within a subscription.",
@@ -942,7 +963,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal.",
@@ -964,7 +986,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Ensure that the latest OS patches for all virtual machines are applied.",
@@ -986,7 +1009,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "None of the settings offered by ASC Default policy should be set to effect Disabled.",
@@ -1008,7 +1032,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Enable automatic provisioning of the monitoring agent to collect security data.",
@@ -1030,7 +1055,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines.",
@@ -1050,7 +1076,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Enable automatic provisioning of the Microsoft Defender for Containers components.",
@@ -1072,7 +1099,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Enable security alert emails to subscription owners.",
@@ -1094,7 +1122,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.",
@@ -1116,7 +1145,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enables emailing security alerts to the subscription owner or other designated security contact.",
@@ -1138,7 +1168,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.",
@@ -1160,7 +1191,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud. IMPORTANT: When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable. 1. For server 2019 & above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal. 2. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned.",
@@ -1182,7 +1214,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.2 Microsoft Defender for IoT",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.2 Microsoft Defender for IoT",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization.",
@@ -1524,7 +1557,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.1 SQL Server - Auditing",
+          "Section": "4. Database Services",
+          "SubSection": "4.1 SQL Server - Auditing",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable auditing on SQL Servers.",
@@ -1546,7 +1580,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.1 SQL Server - Auditing",
+          "Section": "4. Database Services",
+          "SubSection": "4.1 SQL Server - Auditing",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).",
@@ -1568,7 +1603,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.1 SQL Server - Auditing",
+          "Section": "4. Database Services",
+          "SubSection": "4.1 SQL Server - Auditing",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Azure Key Vault. The Azure Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data for additional security. Based on business needs or criticality of data/databases hosted on a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).",
@@ -1590,7 +1626,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.1 SQL Server - Auditing",
+          "Section": "4. Database Services",
+          "SubSection": "4.1 SQL Server - Auditing",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place.",
@@ -1612,7 +1649,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.1 SQL Server - Auditing",
+          "Section": "4. Database Services",
+          "SubSection": "4.1 SQL Server - Auditing",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable Transparent Data Encryption on every SQL server.",
@@ -1634,7 +1672,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.1 SQL Server - Auditing",
+          "Section": "4. Database Services",
+          "SubSection": "4.1 SQL Server - Auditing",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "SQL Server Audit Retention should be configured to be greater than 90 days.",
@@ -1656,7 +1695,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.2 SQL Server - Microsoft Defender for SQL",
+          "Section": "4. Database Services",
+          "SubSection": "4.2 SQL Server - Microsoft Defender for SQL",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Enable 'Microsoft Defender for SQL' on critical SQL Servers.",
@@ -1678,7 +1718,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.2 SQL Server - Microsoft Defender for SQL",
+          "Section": "4. Database Services",
+          "SubSection": "4.2 SQL Server - Microsoft Defender for SQL",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.",
@@ -1700,7 +1741,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.2 SQL Server - Microsoft Defender for SQL",
+          "Section": "4. Database Services",
+          "SubSection": "4.2 SQL Server - Microsoft Defender for SQL",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.",
@@ -1722,7 +1764,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.2 SQL Server - Microsoft Defender for SQL",
+          "Section": "4. Database Services",
+          "SubSection": "4.2 SQL Server - Microsoft Defender for SQL",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Configure 'Send scan reports to' with email addresses of concerned data owners/stakeholders for a critical SQL servers",
@@ -1744,7 +1787,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.2 SQL Server - Microsoft Defender for SQL",
+          "Section": "4. Database Services",
+          "SubSection": "4.2 SQL Server - Microsoft Defender for SQL",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'.",
@@ -1766,7 +1810,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.3 PostgreSQL Database Server",
+          "Section": "4. Database Services",
+          "SubSection": "4.3 PostgreSQL Database Server",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable SSL connection on PostgreSQL Servers.",
@@ -1788,7 +1833,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.3 PostgreSQL Database Server",
+          "Section": "4. Database Services",
+          "SubSection": "4.3 PostgreSQL Database Server",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable log_checkpoints on PostgreSQL Servers.",
@@ -1810,7 +1856,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.3 PostgreSQL Database Server",
+          "Section": "4. Database Services",
+          "SubSection": "4.3 PostgreSQL Database Server",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable log_connections on PostgreSQL Servers.",
@@ -1832,7 +1879,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.3 PostgreSQL Database Server",
+          "Section": "4. Database Services",
+          "SubSection": "4.3 PostgreSQL Database Server",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable log_disconnections on PostgreSQL Servers.",
@@ -1854,7 +1902,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.3 PostgreSQL Database Server",
+          "Section": "4. Database Services",
+          "SubSection": "4.3 PostgreSQL Database Server",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable connection_throttling on PostgreSQL Servers.",
@@ -1876,7 +1925,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.3 PostgreSQL Database Server",
+          "Section": "4. Database Services",
+          "SubSection": "4.3 PostgreSQL Database Server",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Ensure log_retention_days on PostgreSQL Servers is set to an appropriate value.",
@@ -1898,7 +1948,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.3 PostgreSQL Database Server",
+          "Section": "4. Database Services",
+          "SubSection": "4.3 PostgreSQL Database Server",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Disable access from Azure services to PostgreSQL Database Server.",
@@ -1918,7 +1969,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "4.3 PostgreSQL Database Server",
+          "Section": "4. Database Services",
+          "SubSection": "4.3 PostgreSQL Database Server",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.",
@@ -1940,7 +1992,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.4 MySQL Database",
+          "Section": "4. Database Services",
+          "SubSection": "4.4 MySQL Database",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable SSL connection on MYSQL Servers.",
@@ -1962,7 +2015,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.4 MySQL Database",
+          "Section": "4. Database Services",
+          "SubSection": "4.4 MySQL Database",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Ensure TLS version on MySQL flexible servers is set to the default value.",
@@ -1984,7 +2038,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.4 MySQL Database",
+          "Section": "4. Database Services",
+          "SubSection": "4.4 MySQL Database",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Enable audit_log_enabled on MySQL Servers.",
@@ -2006,7 +2061,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.4 MySQL Database",
+          "Section": "4. Database Services",
+          "SubSection": "4.4 MySQL Database",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Set audit_log_enabled to include CONNECTION on MySQL Servers.",
@@ -2028,7 +2084,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.5 Cosmos DB",
+          "Section": "4. Database Services",
+          "SubSection": "4.5 Cosmos DB",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.",
@@ -2050,7 +2107,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.5 Cosmos DB",
+          "Section": "4. Database Services",
+          "SubSection": "4.5 Cosmos DB",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Private endpoints limit network traffic to approved sources.",
@@ -2072,7 +2130,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.5 Cosmos DB",
+          "Section": "4. Database Services",
+          "SubSection": "4.5 Cosmos DB",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Cosmos DB can use tokens or AAD for client authentication which in turn will use Azure RBAC for authorization. Using AAD is significantly more secure because AAD handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure.",
@@ -2094,7 +2153,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.1 Configuring Diagnostic Settings",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.1 Configuring Diagnostic Settings",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Enable Diagnostic settings for exporting activity logs. Diagnos tic settings are available for each individual resource within a subscription. Settings should be configured for allappropriate resources for your environment.",
@@ -2116,7 +2176,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.1 Configuring Diagnostic Settings",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.1 Configuring Diagnostic Settings",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Prerequisite: A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane.",
@@ -2138,7 +2199,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.1 Configuring Diagnostic Settings",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.1 Configuring Diagnostic Settings",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "The storage account container containing the activity log export should not be publicly accessible.",
@@ -2160,7 +2222,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.1 Configuring Diagnostic Settings",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.1 Configuring Diagnostic Settings",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).",
@@ -2182,7 +2245,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.1 Configuring Diagnostic Settings",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.1 Configuring Diagnostic Settings",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.",
@@ -2204,7 +2268,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.1 Configuring Diagnostic Settings",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.1 Configuring Diagnostic Settings",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Ensure that network flow logs are captured and fed into a central log analytics workspace.",
@@ -2226,7 +2291,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.1 Configuring Diagnostic Settings",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.1 Configuring Diagnostic Settings",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged.",
@@ -2248,7 +2314,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Create Policy Assignment event.",
@@ -2270,7 +2337,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Delete Policy Assignment event.",
@@ -2292,7 +2360,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an Activity Log Alert for the Create or Update Network Security Group event.",
@@ -2314,7 +2383,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Delete Network Security Group event.",
@@ -2336,7 +2406,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Create or Update Security Solution event.",
@@ -2358,7 +2429,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Delete Security Solution event.",
@@ -2380,7 +2452,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Create or Update SQL Server Firewall Rule event.",
@@ -2402,7 +2475,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the 'Delete SQL Server Firewall Rule.'",
@@ -2424,7 +2498,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Create or Update Public IP Addresses rule.",
@@ -2446,7 +2521,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Delete Public IP Address rule.",
@@ -2466,7 +2542,7 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "5.3 Configuring Application Insights",
+          "Section": "5. Logging and Monitoring",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type. A number of back-end services were not configured to log and store Resource Logs for certain activities or for a sufficient length. It is crucial that monitoring is correctly configured to log all relevant activities and retain those logs for a sufficient length of time. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.",
@@ -2486,7 +2562,7 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "5.3 Configuring Application Insights",
+          "Section": "5. Logging and Monitoring",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.",
@@ -2508,7 +2584,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.3 Configuring Application Insights",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.3 Configuring Application Insights",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions. Both data sets help organizations adopt a proactive and retroactive means to handle security and performance related metrics within their modern applications.",
@@ -494,7 +494,8 @@
      ],
      "Attributes": [
        {
-          "Section": "1.1 Security Defaults Security Defaults",
+          "Section": "1.Identity and Access Management",
+          "SubSection": "1.1 Security Defaults Security Defaults",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Security defaults in Microsoft Entra ID make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.  Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal.",
@@ -516,7 +517,8 @@
      ],
      "Attributes": [
        {
-          "Section": "1.1 Security Defaults Security Defaults",
+          "Section": "1.Identity and Access Management",
+          "SubSection": "1.1 Security Defaults Security Defaults",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as; - Service Co-Administrators - Subscription Owners - Contributors",
@@ -538,7 +540,8 @@
      ],
      "Attributes": [
        {
-          "Section": "1.1 Security Defaults",
+          "Section": "1.Identity and Access Management",
+          "SubSection": "1.1 Security Defaults Security Defaults",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Enable multi-factor authentication for all non-privileged users.",
@@ -558,7 +561,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.1 Security Defaults",
+          "Section": "1.Identity and Access Management",
+          "SubSection": "1.1 Security Defaults Security Defaults",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Do not allow users to remember multi-factor authentication on devices.",
@@ -580,7 +584,8 @@
      ],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1.Identity and Access Management",
+          "SubSection": "1.2 Conditional Access",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Microsoft Entra ID Conditional Access allows an organization to configure `Named locations` and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization.",
@@ -600,7 +605,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1.Identity and Access Management",
+          "SubSection": "1.2 Conditional Access",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "**CAUTION**: If these policies are created without first auditing and testing the result, misconfiguration can potentially lock out administrators or create undesired access issues.  Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined.",
@@ -620,7 +626,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1.Identity and Access Management",
+          "SubSection": "1.2 Conditional Access",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.",
@@ -640,7 +647,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1.Identity and Access Management",
+          "SubSection": "1.2 Conditional Access",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.",
@@ -660,7 +668,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1.Identity and Access Management",
+          "SubSection": "1.2 Conditional Access",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.",
@@ -682,7 +691,8 @@
      ],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1.Identity and Access Management",
+          "SubSection": "1.2 Conditional Access",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "This recommendation ensures that users accessing the Windows Azure Service Management API (i.e. Azure Powershell, Azure CLI, Azure Resource Manager API, etc.) are required to use multifactor authentication (MFA) credentials when accessing resources through the Windows Azure Service Management API.",
@@ -702,7 +712,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "1.2 Conditional Access",
+          "Section": "1.Identity and Access Management",
+          "SubSection": "1.2 Conditional Access",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "This recommendation ensures that users accessing Microsoft Admin Portals (i.e. Microsoft 365 Admin, Microsoft 365 Defender, Exchange Admin Center, Azure Portal, etc.) are required to use multifactor authentication (MFA) credentials when logging into an Admin Portal.",
@@ -724,7 +735,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
@@ -746,7 +758,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
@@ -768,7 +781,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Managed Instance Azure SQL databases, providing threat intelligence, anomaly detection, and behavior analytics in Microsoft Defender for Cloud.",
@@ -790,7 +804,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in Microsoft Defender for Cloud.",
@@ -812,7 +827,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
@@ -834,7 +850,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources.",
@@ -856,7 +873,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
@@ -878,7 +896,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. The following services will be enabled for container instances: - Defender agent in Azure - Azure Policy for Kubernetes - Agentless discovery for Kubernetes - Agentless container vulnerability assessment",
@@ -900,7 +919,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
@@ -922,7 +942,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "[**NOTE:** As of August 1, customers with an existing subscription to Defender for DNS can continue to use the service, but new subscribers will receive alerts about suspicious DNS activity as part of Defender for Servers P2.]  Microsoft Defender for DNS scans all network traffic exiting from within a subscription.",
@@ -944,7 +965,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal.",
@@ -966,7 +988,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Ensure that the latest OS patches for all virtual machines are applied.",
@@ -988,7 +1011,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "The Microsoft Cloud Security Benchmark (or MCSB) is an Azure Policy Initiative containing many security policies to evaluate resource configuration against best practice recommendations. If a policy in the MCSB is set with effect type `Disabled`, it is not evaluated and may prevent administrators from being informed of valuable security recommendations.",
@@ -1010,7 +1034,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable automatic provisioning of the monitoring agent to collect security data.",
@@ -1032,7 +1057,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines.",
@@ -1052,7 +1078,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Enable automatic provisioning of the Microsoft Defender for Containers components.",
@@ -1074,7 +1101,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable security alert emails to subscription owners.",
@@ -1096,7 +1124,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.",
@@ -1118,7 +1147,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enables emailing security alerts to the subscription owner or other designated security contact.",
@@ -1140,7 +1170,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.",
@@ -1162,7 +1193,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud.  **IMPORTANT:** When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable. 1. For server 2019 & above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal. 1. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned.",
@@ -1182,7 +1214,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "2.1 Microsoft Defender for Cloud",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.1 Microsoft Defender for Cloud",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "An organization's attack surface is the collection of assets with a public network identifier or URI that an external threat actor can see or access from outside your cloud. It is the set of points on the boundary of a system, a system element, system component, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, system component, or environment. The larger the attack surface, the harder it is to protect.  This tool can be configured to scan your organization's online infrastructure such as specified domains, hosts, CIDR blocks, and SSL certificates, and store them in an Inventory. Inventory items can be added, reviewed, approved, and removed, and may contain enrichments (insights) and additional information collected from the tool's different scan engines and open-source intelligence sources.  A Defender EASM workspace will generate an Inventory of publicly exposed assets by crawling and scanning the internet using _Seeds_ you provide when setting up the tool. Seeds can be FQDNs, IP CIDR blocks, and WHOIS records.  Defender EASM will generate Insights within 24-48 hours after Seeds are provided, and these insights include vulnerability data (CVEs), ports and protocols, and weak or expired SSL certificates that could be used by an attacker for reconnaisance or exploitation.  Results are classified High/Medium/Low and some of them include proposed mitigations.",
@@ -1204,7 +1237,8 @@
      ],
      "Attributes": [
        {
-          "Section": "2.2 Microsoft Defender for IoT",
+          "Section": "2. Microsoft Defender",
+          "SubSection": "2.2 Microsoft Defender for IoT",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization.",
@@ -1586,7 +1620,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.1 SQL Server - Auditing",
+          "Section": "4. Database Services",
+          "SubSection": "4.1 SQL Server - Auditing",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable auditing on SQL Servers.",
@@ -1608,7 +1643,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.1 SQL Server - Auditing",
+          "Section": "4. Database Services",
+          "SubSection": "4.1 SQL Server - Auditing",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).",
@@ -1630,7 +1666,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.1 SQL Server - Auditing",
+          "Section": "4. Database Services",
+          "SubSection": "4.1 SQL Server - Auditing",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.  With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Azure Key Vault. The Azure Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data for additional security.  Based on business needs or criticality of data/databases hosted on a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).",
@@ -1652,7 +1689,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.1 SQL Server - Auditing",
+          "Section": "4. Database Services",
+          "SubSection": "4.1 SQL Server - Auditing",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Use Microsoft Entra authentication for authentication with SQL Database to manage credentials in a single place.",
@@ -1674,7 +1712,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.1 SQL Server - Auditing",
+          "Section": "4. Database Services",
+          "SubSection": "4.1 SQL Server - Auditing",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable Transparent Data Encryption on every SQL server.",
@@ -1696,7 +1735,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.1 SQL Server - Auditing",
+          "Section": "4. Database Services",
+          "SubSection": "4.1 SQL Server - Auditing",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "SQL Server Audit Retention should be configured to be greater than 90 days.",
@@ -1718,7 +1758,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.3 PostgreSQL Database Server. Storage Accounts",
+          "Section": "4. Database Services",
+          "SubSection": "4.3 PostgreSQL Database Server. Storage Accounts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable `SSL connection` on `PostgreSQL` Servers.",
@@ -1740,7 +1781,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.3 PostgreSQL Database Server. Storage Accounts",
+          "Section": "4. Database Services",
+          "SubSection": "4.3 PostgreSQL Database Server. Storage Accounts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable `log_checkpoints` on `PostgreSQL Servers`.",
@@ -1762,7 +1804,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.3 PostgreSQL Database Server. Storage Accounts",
+          "Section": "4. Database Services",
+          "SubSection": "4.3 PostgreSQL Database Server. Storage Accounts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable `log_connections` on `PostgreSQL Servers`.",
@@ -1784,7 +1827,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.3 PostgreSQL Database Server. Storage Accounts",
+          "Section": "4. Database Services",
+          "SubSection": "4.3 PostgreSQL Database Server. Storage Accounts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable `log_disconnections` on `PostgreSQL Servers`.",
@@ -1806,7 +1850,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.3 PostgreSQL Database Server. Storage Accounts",
+          "Section": "4. Database Services",
+          "SubSection": "4.3 PostgreSQL Database Server. Storage Accounts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable `connection_throttling` on `PostgreSQL Servers`.",
@@ -1828,7 +1873,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.3 PostgreSQL Database Server. Storage Accounts",
+          "Section": "4. Database Services",
+          "SubSection": "4.3 PostgreSQL Database Server. Storage Accounts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Ensure `log_retention_days` on `PostgreSQL Servers` is set to an appropriate value.",
@@ -1850,7 +1896,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.3 PostgreSQL Database Server. Storage Accounts",
+          "Section": "4. Database Services",
+          "SubSection": "4.3 PostgreSQL Database Server. Storage Accounts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Disable access from Azure services to PostgreSQL Database Server.",
@@ -1870,7 +1917,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "4.3 PostgreSQL Database Server. Storage Accounts",
+          "Section": "4. Database Services",
+          "SubSection": "4.3 PostgreSQL Database Server. Storage Accounts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.",
@@ -1892,7 +1940,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.4 MySQL Database",
+          "Section": "4. Database Services",
+          "SubSection": "4.4 MySQL Database",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable `SSL connection` on `MYSQL` Servers.",
@@ -1914,7 +1963,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.4 MySQL Database",
+          "Section": "4. Database Services",
+          "SubSection": "4.4 MySQL Database",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Ensure `TLS version` on `MySQL flexible` servers is set to use TLS version 1.2 or higher.",
@@ -1936,7 +1986,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.4 MySQL Database",
+          "Section": "4. Database Services",
+          "SubSection": "4.4 MySQL Database",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Enable audit_log_enabled on MySQL Servers.",
@@ -1958,7 +2009,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.4 MySQL Database",
+          "Section": "4. Database Services",
+          "SubSection": "4.4 MySQL Database",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Set `audit_log_enabled` to include CONNECTION on MySQL Servers.",
@@ -1980,7 +2032,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.5 Cosmos DB",
+          "Section": "4. Database Services",
+          "SubSection": "4.5 Cosmos DB",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.",
@@ -2002,7 +2055,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.5 Cosmos DB",
+          "Section": "4. Database Services",
+          "SubSection": "4.5 Cosmos DB",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Private endpoints limit network traffic to approved sources.",
@@ -2024,7 +2078,8 @@
      ],
      "Attributes": [
        {
-          "Section": "4.5 Cosmos DB",
+          "Section": "4. Database Services",
+          "SubSection": "4.5 Cosmos DB",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Cosmos DB can use tokens or Entra ID for client authentication which in turn will use Azure RBAC for authorization. Using Entra ID is significantly more secure because Entra ID handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure.",
@@ -2086,7 +2141,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.1 Configuring Diagnostic Settings",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.1 Configuring Diagnostic Settings",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment.",
@@ -2108,7 +2164,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.1 Configuring Diagnostic Settings",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.1 Configuring Diagnostic Settings",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "**Prerequisite**: A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: Ensure that a 'Diagnostic Setting' exists.  The diagnostic setting should be configured to log the appropriate activities from the control/management plane.",
@@ -2130,7 +2187,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.1 Configuring Diagnostic Settings",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.1 Configuring Diagnostic Settings",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).",
@@ -2152,7 +2210,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.1 Configuring Diagnostic Settings",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.1 Configuring Diagnostic Settings",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.",
@@ -2174,7 +2233,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.1 Configuring Diagnostic Settings",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.1 Configuring Diagnostic Settings",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Ensure that network flow logs are captured and fed into a central log analytics workspace.",
@@ -2196,7 +2256,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.1 Configuring Diagnostic Settings",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.1 Configuring Diagnostic Settings",
          "Profile": "Level 2",
          "AssessmentStatus": "Manual",
          "Description": "Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged.",
@@ -2218,7 +2279,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Create Policy Assignment event.",
@@ -2240,7 +2302,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Delete Policy Assignment event.",
@@ -2262,7 +2325,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an Activity Log Alert for the Create or Update Network Security Group event.",
@@ -2284,7 +2348,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Delete Network Security Group event.",
@@ -2306,7 +2371,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Create or Update Security Solution event.",
@@ -2328,7 +2394,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Delete Security Solution event.",
@@ -2350,7 +2417,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Create or Update SQL Server Firewall Rule event.",
@@ -2372,7 +2440,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Delete SQL Server Firewall Rule.",
@@ -2394,7 +2463,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Create or Update Public IP Addresses rule.",
@@ -2416,7 +2486,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.2 Monitoring using Activity Log Alerts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.2 Monitoring using Activity Log Alerts",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Create an activity log alert for the Delete Public IP Address rule.",
@@ -2438,7 +2509,8 @@
      ],
      "Attributes": [
        {
-          "Section": "5.3 Configuring Application Insights. Storage Accounts",
+          "Section": "5. Logging and Monitoring",
+          "SubSection": "5.3 Configuring Application Insights. Storage Accounts",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions. Both data sets help organizations adopt a proactive and retroactive means to handle security and performance related metrics within their modern applications.",
@@ -3044,7 +3116,7 @@
      "Id": "9.4",
      "Description": "Ensure that Register with Entra ID is enabled on App Service",
      "Checks": [
-        "app_client_certificates_on"
+        "app_register_with_identity"
      ],
      "Attributes": [
        {
@@ -3066,7 +3138,7 @@
      "Id": "9.5",
      "Description": "Ensure That 'PHP version' is the Latest, If Used to Run the Web App",
      "Checks": [
-        "app_register_with_identity"
+        "app_ensure_php_version_is_latest"
      ],
      "Attributes": [
        {
@@ -3088,7 +3160,7 @@
      "Id": "9.6",
      "Description": "Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App",
      "Checks": [
-        "app_ensure_php_version_is_latest"
+        "app_ensure_python_version_is_latest"
      ],
      "Attributes": [
        {
@@ -3110,7 +3182,7 @@
      "Id": "9.7",
      "Description": "Ensure that 'Java version' is the latest, if used to run the Web App",
      "Checks": [
-        "app_ensure_python_version_is_latest"
+        "app_ensure_java_version_is_latest"
      ],
      "Attributes": [
        {
@@ -3132,7 +3204,7 @@
      "Id": "9.8",
      "Description": "Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App",
      "Checks": [
-        "app_ensure_java_version_is_latest"
+        "app_ensure_using_http20"
      ],
      "Attributes": [
        {
@@ -3154,7 +3226,7 @@
      "Id": "9.9",
      "Description": "Ensure FTP deployments are Disabled",
      "Checks": [
-        "app_ensure_using_http20"
+        "app_ftp_deployment_disabled"
      ],
      "Attributes": [
        {
@@ -3175,9 +3247,7 @@
    {
      "Id": "9.10",
      "Description": "Ensure Azure Key Vaults are Used to Store Secrets",
-      "Checks": [
-        "app_ftp_deployment_disabled"
-      ],
+      "Checks": [],
      "Attributes": [
        {
          "Section": "9. AppService",
@@ -3213,66 +3283,6 @@
          "References": "https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-subscription-governance#azure-resource-locks:https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-asset-management#am-4-limit-access-to-asset-management"
        }
      ]
-    },
-    {
-      "Id": "9.10",
-      "Description": "Ensure FTP deployments are Disabled",
-      "Checks": [],
-      "Attributes": [
-        {
-          "Section": "9. AppService",
-          "Profile": "Level 1",
-          "AssessmentStatus": "Automated",
-          "Description": "By default, Azure Functions, Web, and API Services  can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.",
-          "RationaleStatement": "Azure FTP deployment endpoints are public. An attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App.",
-          "ImpactStatement": "Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.",
-          "RemediationProcedure": "**From Azure Portal**  1. Go to the Azure Portal 2. Select `App Services` 3. Click on an app 4. Select `Settings` and then `Configuration` 5. Under `General Settings`, for the `Platform Settings`, the `FTP state` should be set to `Disabled` or `FTPS Only`  **From Azure CLI**  For each out of compliance application, run the following choosing either 'disabled' or 'FtpsOnly' as appropriate:  ``` az webapp config set --resource-group <resource group name> --name <app name> --ftps-state [disabled|FtpsOnly] ```  **From PowerShell**  For each out of compliance application, run the following:  ``` Set-AzWebApp -ResourceGroupName <resource group name> -Name <app name> -FtpsState <Disabled or FtpsOnly> ```",
-          "AuditProcedure": "**From Azure Portal**  1. Go to the Azure Portal 2. Select `App Services` 3. Click on an app 4. Select `Settings` and then `Configuration` 5. Under `General Settings`, for the `Platform Settings`, the `FTP state` should not be set to `All allowed`  **From Azure CLI**   List webapps to obtain the ids.  ``` az webapp list ```  List the publish profiles to obtain the username, password and ftp server url.  ``` az webapp deployment list-publishing-profiles --ids <ids> {  publishUrl: <URL_FOR_WEB_APP>,  userName: <USER_NAME>,  userPWD: <USER_PASSWORD>, } ```  **From PowerShell**  List all Web Apps:  ``` Get-AzWebApp ```  For each app:  ``` Get-AzWebApp -ResourceGroupName <resource group name> -Name <app name> | Select-Object -ExpandProperty SiteConfig ```  In the output, look for the value of **FtpsState**. If its value is **AllAllowed** the setting is out of compliance. Any other value is considered in compliance with this check.",
-          "AdditionalInformation": "",
-          "DefaultValue": "[Azure Web Service Deploy via FTP](https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp):[Azure Web Service Deployment](https://docs.microsoft.com/en-us/azure/app-service/overview-security):https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-encrypt-sensitive-information-in-transit:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities",
-          "References": "TA0008, T1570, M1031"
-        }
-      ]
-    },
-    {
-      "Id": "9.11",
-      "Description": "Ensure Azure Key Vaults are Used to Store Secrets",
-      "Checks": [],
-      "Attributes": [
-        {
-          "Section": "9. AppService",
-          "Profile": "Level 2",
-          "AssessmentStatus": "Manual",
-          "Description": "Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions.",
-          "RationaleStatement": "The credentials given to an application have permissions to create, delete, or modify data stored within the systems they access. If these credentials are stored within the application itself, anyone with access to the application or a copy of the code has access to them. Storing within Azure Key Vault as secrets increases security by controlling access. This also allows for updates of the credentials without redeploying the entire application.",
-          "ImpactStatement": "Integrating references to secrets within the key vault are required to be specifically integrated within the application code. This will require additional configuration to be made during the writing of an application, or refactoring of an already written one. There are also additional costs that are charged per 10000 requests to the Key Vault.",
-          "RemediationProcedure": "Remediation has 2 steps 1. Setup the Key Vault 2. Setup the App Service to use the Key Vault  **Step 1: Set up the Key Vault**  **From Azure CLI**  ``` az keyvault create --name <name> --resource-group <myResourceGroup> --location myLocation ```  **From Powershell**  ``` New-AzKeyvault -name <name> -ResourceGroupName <myResourceGroup> -Location <myLocation> ```  **Step 2: Set up the App Service to use the Key Vault**  Sample JSON Template for App Service Configuration: ``` {  //...  resources: [  {  type: Microsoft.Storage/storageAccounts,  name: [variables('storageAccountName')],  //...  },  {  type: Microsoft.Insights/components,  name: [variables('appInsightsName')],  //...  },  {  type: Microsoft.Web/sites,  name: [variables('functionAppName')],  identity: {  type: SystemAssigned  },  //...  resources: [  {  type: config,  name: appsettings,  //...  dependsOn: [  [resourceId('Microsoft.Web/sites', variables('functionAppName'))],  [resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))],  [resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('storageConnectionStringName'))],  [resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('appInsightsKeyName'))]  ],  properties: {  AzureWebJobsStorage: [concat('@Microsoft.KeyVault(SecretUri=', reference(variables('storageConnectionStringResourceId')).secretUriWithVersion, ')')],  WEBSITE_CONTENTAZUREFILECONNECTIONSTRING: [concat('@Microsoft.KeyVault(SecretUri=', reference(variables('storageConnectionStringResourceId')).secretUriWithVersion, ')')],  APPINSIGHTS_INSTRUMENTATIONKEY: [concat('@Microsoft.KeyVault(SecretUri=', reference(variables('appInsightsKeyResourceId')).secretUriWithVersion, ')')],  WEBSITE_ENABLE_SYNC_UPDATE_SITE: true  //...  }  },  {  type: sourcecontrols,  name: web,  //...  dependsOn: [  [resourceId('Microsoft.Web/sites', variables('functionAppName'))],  [resourceId('Microsoft.Web/sites/config', variables('functionAppName'), 'appsettings')]  ],  }  ]  },  {  type: Microsoft.KeyVault/vaults,  name: [variables('keyVaultName')],  //...  dependsOn: [  [resourceId('Microsoft.Web/sites', variables('functionAppName'))]  ],  properties: {  //...  accessPolicies: [  {  tenantId: [reference(concat('Microsoft.Web/sites/', variables('functionAppName'), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').tenantId],  objectId: [reference(concat('Microsoft.Web/sites/', variables('functionAppName'), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').principalId],  permissions: {  secrets: [ get ]  }  }  ]  },  resources: [  {  type: secrets,  name: [variables('storageConnectionStringName')],  //...  dependsOn: [  [resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))],  [resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]  ],  properties: {  value: [concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),'2015-05-01-preview').key1)]  }  },  {  type: secrets,  name: [variables('appInsightsKeyName')],  //...  dependsOn: [  [resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))],  [resourceId('Microsoft.Insights/components', variables('appInsightsName'))]  ],  properties: {  value: [reference(resourceId('microsoft.insights/components/', variables('appInsightsName')), '2015-05-01').InstrumentationKey]  }  }  ]  }  ] } ```",
-          "AuditProcedure": "**From Azure Portal**  1. Login to Azure Portal 2. In the expandable menu on the left go to `Key Vaults` 3. View the Key Vaults listed.  **From Azure CLI**  To list key vaults within a subscription run the following command:  ``` Get-AzKeyVault ```  To list the secrets within these key vaults run the following command:  ``` Get-AzKeyVaultSecret [-VaultName] <vault name> ```  **From Powershell**  To list key vaults within a subscription run the following command:  ``` Get-AzKeyVault ```  To list all secrets in a key vault run the following command:  ``` Get-AzKeyVaultSecret -VaultName '<vaultName' ```",
-          "AdditionalInformation": "",
-          "DefaultValue": "https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-2-manage-application-identities-securely-and-automatically:https://docs.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest:https://docs.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest",
-          "References": "TA0006, T1552, M1041"
-        }
-      ]
-    },
-    {
-      "Id": "10.1",
-      "Description": "Ensure that Resource Locks are set for Mission-Critical Azure Resources",
-      "Checks": [],
-      "Attributes": [
-        {
-          "Section": "10. Miscellaneous",
-          "Profile": "Level 2",
-          "AssessmentStatus": "Manual",
-          "Description": "Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion.",
-          "RationaleStatement": "As an administrator, it may be necessary to lock a subscription, resource group, or resource to prevent other users in the organization from accidentally deleting or modifying critical resources. The lock level can be set to to `CanNotDelete` or `ReadOnly` to achieve this purpose.  - `CanNotDelete` means authorized users can still read and modify a resource, but they cannot delete the resource.  - `ReadOnly` means authorized users can read a resource, but they cannot delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.",
-          "ImpactStatement": "There can be unintended outcomes of locking a resource. Applying a lock to a parent service will cause it to be inherited by all resources within. Conversely, applying a lock to a resource may not apply to connected storage, leaving it unlocked. Please see the documentation for further information.",
-          "RemediationProcedure": "**From Azure Portal**  1. Navigate to the specific Azure Resource or Resource Group 2. For each mission critical resource, click on `Locks` 3. Click `Add` 4. Give the lock a name and a description, then select the type, `Read-only` or `Delete` as appropriate 5. Click OK  **From Azure CLI**  To lock a resource, provide the name of the resource, its resource type, and its resource group name.  ``` az lock create --name <LockName> --lock-type <CanNotDelete/Read-only> --resource-group <resourceGroupName> --resource-name <resourceName> --resource-type <resourceType> ```  **From Powershell**  ``` Get-AzResourceLock -ResourceName <Resource Name> -ResourceType <Resource Type> -ResourceGroupName <Resource Group Name> -Locktype <CanNotDelete/Read-only> ```",
-          "AuditProcedure": "**From Azure Portal**  1. Navigate to the specific Azure Resource or Resource Group 2. Click on `Locks` 3. Ensure the lock is defined with name and description, with type `Read-only` or `Delete` as appropriate.  **From Azure CLI**  Review the list of all locks set currently:  ``` az lock list --resource-group <resourcegroupname> --resource-name <resourcename> --namespace <Namespace> --resource-type <type> --parent  ```  **From Powershell**  Run the following command to list all resources.  ``` Get-AzResource ```  For each resource, run the following command to check for Resource Locks.  ``` Get-AzResourceLock -ResourceName <Resource Name> -ResourceType <Resource Type> -ResourceGroupName <Resource Group Name> ``` Review the output of the `Properties` setting. Compliant settings will have the `CanNotDelete` or `ReadOnly` value.",
-          "AdditionalInformation": "",
-          "DefaultValue": "https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-subscription-governance#azure-resource-locks:https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-asset-management#am-4-limit-access-to-asset-management",
-          "References": ""
-        }
-      ]
    }
  ]
 }
@@ -1292,7 +1292,8 @@
      "Checks": [],
      "Attributes": [
        {
-          "Section": "6.1. MySQL Database",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.1. MySQL Database",
          "Profile": "Level 1",
          "AssessmentStatus": "Manual",
          "Description": "It is recommended to set a password for the administrative user (`root` by default) to prevent unauthorized access to the SQL database instances.  This recommendation is applicable only for MySQL Instances. PostgreSQL does not offer any setting for No Password from the cloud console.",
@@ -1313,7 +1314,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.1. MySQL Database",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.1. MySQL Database",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "It is recommended to set `skip_show_database` database flag for Cloud SQL Mysql instance to `on`",
@@ -1334,7 +1336,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.1. MySQL Database",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.1. MySQL Database",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "It is recommended to set the `local_infile` database flag for a Cloud SQL MySQL instance to `off`.",
@@ -1355,7 +1358,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.2. PostgreSQL Database",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.2. PostgreSQL Database",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "The `log_error_verbosity` flag controls the verbosity/details of messages logged. Valid values are: - `TERSE` - `DEFAULT` - `VERBOSE`  `TERSE` excludes the logging of `DETAIL`, `HINT`, `QUERY`, and `CONTEXT` error information.  `VERBOSE` output includes the `SQLSTATE` error code, source code file name, function name, and line number that generated the error.  Ensure an appropriate value is set to 'DEFAULT' or stricter.",
@@ -1376,7 +1380,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.2. PostgreSQL Database",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.2. PostgreSQL Database",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "The `log_min_error_statement` flag defines the minimum message severity level that are considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`, `WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`. Each severity level includes the subsequent levels mentioned above. Ensure a value of `ERROR` or stricter is set.",
@@ -1397,7 +1402,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.2. PostgreSQL Database",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.2. PostgreSQL Database",
          "Profile": "Level 2",
          "AssessmentStatus": "Automated",
          "Description": "The value of `log_statement` flag determined the SQL statements that are logged. Valid values are: - `none` - `ddl` - `mod` - `all`  The value `ddl` logs all data definition statements. The value `mod` logs all ddl statements, plus data-modifying statements.  The statements are logged after a basic parsing is done and statement type is determined, thus this does not logs statements with errors. When using extended query protocol, logging occurs after an Execute message is received and values of the Bind parameters are included.  A value of 'ddl' is recommended unless otherwise directed by your organization's logging policy.",
@@ -1418,7 +1424,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.2. PostgreSQL Database",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.2. PostgreSQL Database",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Instance addresses can be public IP or private IP. Public IP means that the instance is accessible through the public internet. In contrast, instances using only private IP are not accessible through the public internet, but are accessible through a Virtual Private Cloud (VPC).  Limiting network access to your database will limit potential attacks.",
@@ -1439,7 +1446,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.2. PostgreSQL Database",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.2. PostgreSQL Database",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Ensure `cloudsql.enable_pgaudit` database flag for Cloud SQL PostgreSQL instance is set to `on` to allow for centralized logging.",
@@ -1460,7 +1468,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.2. PostgreSQL Database",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.2. PostgreSQL Database",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enabling the `log_connections` setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.",
@@ -1481,7 +1490,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.2. PostgreSQL Database",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.2. PostgreSQL Database",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "Enabling the `log_disconnections` setting logs the end of each session, including the session duration.",
@@ -1502,7 +1512,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.2. PostgreSQL Database",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.2. PostgreSQL Database",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "The `log_min_duration_statement` flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that `log_min_duration_statement` is disabled, i.e., a value of `-1` is set.",
@@ -1523,7 +1534,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.2. PostgreSQL Database",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.2. PostgreSQL Database",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "The `log_min_messages` flag defines the minimum message severity level that is considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`, `WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`. Each severity level includes the subsequent levels mentioned above. ERROR is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy.",
@@ -1544,7 +1556,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.3. SQL Server",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.3. SQL Server",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "It is recommended to set `3625 (trace flag)` database flag for Cloud SQL SQL Server instance to `on`.",
@@ -1565,7 +1578,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.3. SQL Server",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.3. SQL Server",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "It is recommended to set `external scripts enabled` database flag for Cloud SQL SQL Server instance to `off`",
@@ -1586,7 +1600,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.3. SQL Server",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.3. SQL Server",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "It is recommended to set `remote access` database flag for Cloud SQL SQL Server instance to `off`.",
@@ -1607,7 +1622,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.3. SQL Server",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.3. SQL Server",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "It is recommended to check the `user connections` for a Cloud SQL SQL Server instance to ensure that it is not artificially limiting connections.",
@@ -1628,7 +1644,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.3. SQL Server",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.3. SQL Server",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "It is recommended that, `user options` database flag for Cloud SQL SQL Server instance should not be configured.",
@@ -1649,7 +1666,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.3. SQL Server",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.3. SQL Server",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "It is recommended to set `contained database authentication` database flag for Cloud SQL on the SQL Server instance to `off`.",
@@ -1670,7 +1688,8 @@
      ],
      "Attributes": [
        {
-          "Section": "6.3. SQL Server",
+          "Section": "6. Cloud SQL Database Services",
+          "SubSection": "6.3. SQL Server",
          "Profile": "Level 1",
          "AssessmentStatus": "Automated",
          "Description": "It is recommended to set `cross db ownership chaining` database flag for Cloud SQL SQL Server instance to `off`.",
@@ -19,8 +19,11 @@ Mutelist:
            - "StackSet-AWSControlTowerSecurityResources-*"
            - "StackSet-AWSControlTowerLoggingResources-*"
            - "StackSet-AWSControlTowerExecutionRole-*"
-            - "AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER"
-            - "AWSControlTowerBP-BASELINE-CONFIG-MASTER"
+            - "AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER*"
+            - "AWSControlTowerBP-BASELINE-CONFIG-MASTER*"
+            - "StackSet-AWSControlTower*"
+            - "CLOUDTRAIL-ENABLED-ON-SHARED-ACCOUNTS-*"
+            - "AFT-Backend*"
        "cloudtrail_*":
          Regions:
            - "*"
@@ -1,16 +1,18 @@
 import os
 import pathlib
 from datetime import datetime, timezone
+from enum import Enum
 from os import getcwd

 import requests
 import yaml
+from packaging import version

 from prowler.lib.logger import logger

 timestamp = datetime.today()
 timestamp_utc = datetime.now(timezone.utc).replace(tzinfo=timezone.utc)
-prowler_version = "4.2.4"
+prowler_version = "4.6.3"
 html_logo_url = "https://github.com/prowler-cloud/prowler/"
 square_logo_img = "https://prowler.com/wp-content/uploads/logo-html.png"
 aws_logo = "https://user-images.githubusercontent.com/38561120/235953920-3e3fba08-0795-41dc-b480-9bea57db9f2e.png"
@@ -20,8 +22,13 @@ gcp_logo = "https://user-images.githubusercontent.com/38561120/235928332-eb4accd
 orange_color = "\033[38;5;208m"
 banner_color = "\033[1;92m"

-finding_statuses = ["PASS", "FAIL", "MANUAL"]
-valid_severities = ["critical", "high", "medium", "low", "informational"]
+
+class Provider(str, Enum):
+    AWS = "aws"
+    GCP = "gcp"
+    AZURE = "azure"
+    KUBERNETES = "kubernetes"
+

 # Compliance
 actual_directory = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))
@@ -29,7 +36,7 @@ actual_directory = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))

 def get_available_compliance_frameworks(provider=None):
    available_compliance_frameworks = []
-    providers = ["aws", "gcp", "azure", "kubernetes"]
+    providers = [p.value for p in Provider]
    if provider:
        providers = [provider]
    for provider in providers:
@@ -64,7 +71,7 @@ default_config_file_path = (
 default_fixer_config_file_path = (
    f"{pathlib.Path(os.path.dirname(os.path.realpath(__file__)))}/fixer_config.yaml"
 )
-enconding_format_utf_8 = "utf-8"
+encoding_format_utf_8 = "utf-8"
 available_output_formats = ["csv", "json-asff", "json-ocsf", "html"]


@@ -86,7 +93,7 @@ def check_current_version():
            "https://api.github.com/repos/prowler-cloud/prowler/tags", timeout=1
        )
        latest_version = release_response.json()[0]["name"]
-        if latest_version != prowler_version:
+        if version.parse(latest_version) > version.parse(prowler_version):
            return f"{prowler_version_string} (latest is {latest_version}, upgrade for the latest features)"
        else:
            return (
@@ -110,7 +117,7 @@ def load_and_validate_config_file(provider: str, config_file_path: str) -> dict:
        dict: The configuration dictionary for the specified provider.
    """
    try:
-        with open(config_file_path, "r", encoding=enconding_format_utf_8) as f:
+        with open(config_file_path, "r", encoding=encoding_format_utf_8) as f:
            config_file = yaml.safe_load(f)

            # Not to introduce a breaking change, allow the old format config file without any provider keys
@@ -159,7 +166,7 @@ def load_and_validate_fixer_config_file(
        dict: The fixer configuration dictionary for the specified provider.
    """
    try:
-        with open(fixer_config_file_path, "r", encoding=enconding_format_utf_8) as f:
+        with open(fixer_config_file_path, "r", encoding=encoding_format_utf_8) as f:
            fixer_config_file = yaml.safe_load(f)
            return fixer_config_file.get(provider, {})

@@ -41,8 +41,29 @@ aws:
    [
        "amazon-elb"
    ]
+  # aws.ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports
+  ec2_sg_high_risk_ports:
+    [
+        25,
+        110,
+        135,
+        143,
+        445,
+        3000,
+        4333,
+        5000,
+        5500,
+        8080,
+        8088,
+    ]
+
+  # AWS ECS Configuration
+  # aws.ecs_service_fargate_latest_platform_version
+  fargate_linux_latest_version: "1.4.0"
+  fargate_windows_latest_version: "1.0.0"

  # AWS VPC Configuration (vpc_endpoint_connections_trust_boundaries, vpc_endpoint_services_allowed_principals_trust_boundaries)
+  # AWS SSM Configuration (aws.ssm_documents_set_as_public)
  # Single account environment: No action required. The AWS account number will be automatically added by the checks.
  # Multi account environment: Any additional trusted account number should be added as a space separated list, e.g.
  # trusted_account_ids : ["123456789012", "098765432109", "678901234567"]
@@ -78,7 +99,9 @@ aws:
      "nodejs10.x",
      "nodejs12.x",
      "nodejs14.x",
+      "nodejs16.x",
      "dotnet5.0",
+      "dotnet7",
      "dotnetcore1.0",
      "dotnetcore2.0",
      "dotnetcore2.1",
@@ -86,6 +109,8 @@ aws:
      "ruby2.5",
      "ruby2.7",
    ]
+  # aws.awslambda_function_vpc_is_in_multi_azs
+  lambda_min_azs: 2

  # AWS Organizations
  # aws.organizations_scp_check_deny_regions
@@ -110,7 +135,7 @@ aws:

  # AWS CloudTrail Configuration
  # aws.cloudtrail_threat_detection_privilege_escalation
-  threat_detection_privilege_escalation_threshold: 0.1 # Percentage of actions found to decide if it is an privilege_escalation attack event, by default is 0.1 (10%)
+  threat_detection_privilege_escalation_threshold: 0.2 # Percentage of actions found to decide if it is an privilege_escalation attack event, by default is 0.2 (20%)
  threat_detection_privilege_escalation_minutes: 1440 # Past minutes to search from now for privilege_escalation attacks, by default is 1440 minutes (24 hours)
  threat_detection_privilege_escalation_actions:
    [
@@ -167,7 +192,7 @@ aws:
      "UpdateLoginProfile",
    ]
  # aws.cloudtrail_threat_detection_enumeration
-  threat_detection_enumeration_threshold: 0.1 # Percentage of actions found to decide if it is an enumeration attack event, by default is 0.1 (10%)
+  threat_detection_enumeration_threshold: 0.3 # Percentage of actions found to decide if it is an enumeration attack event, by default is 0.3 (30%)
  threat_detection_enumeration_minutes: 1440 # Past minutes to search from now for enumeration attacks, by default is 1440 minutes (24 hours)
  threat_detection_enumeration_actions:
    [
@@ -262,6 +287,24 @@ aws:
      "LookupEvents",
      "Search",
    ]
+  # aws.cloudtrail_threat_detection_llm_jacking
+  threat_detection_llm_jacking_threshold: 0.4 # Percentage of actions found to decide if it is an LLM Jacking attack event, by default is 0.4 (40%)
+  threat_detection_llm_jacking_minutes: 1440 # Past minutes to search from now for LLM Jacking attacks, by default is 1440 minutes (24 hours)
+  threat_detection_llm_jacking_actions:
+    [
+    "PutUseCaseForModelAccess",  # Submits a use case for model access, providing justification (Write).
+    "PutFoundationModelEntitlement",  # Grants entitlement for accessing a foundation model (Write).
+    "PutModelInvocationLoggingConfiguration", # Configures logging for model invocations (Write).
+    "CreateFoundationModelAgreement",  # Creates a new agreement to use a foundation model (Write).
+    "InvokeModel",  # Invokes a specified Bedrock model for inference using provided prompt and parameters (Read).
+    "InvokeModelWithResponseStream",  # Invokes a Bedrock model for inference with real-time token streaming (Read).
+    "GetUseCaseForModelAccess",  # Retrieves an existing use case for model access (Read).
+    "GetModelInvocationLoggingConfiguration",  # Fetches the logging configuration for model invocations (Read).
+    "GetFoundationModelAvailability",  # Checks the availability of a foundation model for use (Read).
+    "ListFoundationModelAgreementOffers",  # Lists available agreement offers for accessing foundation models (List).
+    "ListFoundationModels",  # Lists the available foundation models in Bedrock (List).
+    "ListProvisionedModelThroughputs",  # Lists the provisioned throughput for previously created models (List).
+    ]

  # AWS RDS Configuration
  # aws.rds_instance_backup_enabled
@@ -271,6 +314,64 @@ aws:
  # AWS ACM Configuration
  # aws.acm_certificates_expiration_check
  days_to_expire_threshold: 7
+  # aws.acm_certificates_rsa_key_length
+  insecure_key_algorithms:
+    [
+      "RSA-1024",
+    ]
+
+  # AWS EKS Configuration
+  # aws.eks_control_plane_logging_all_types_enabled
+  # EKS control plane logging types that must be enabled
+  eks_required_log_types:
+    [
+      "api",
+      "audit",
+      "authenticator",
+      "controllerManager",
+      "scheduler",
+    ]
+
+  # aws.eks_cluster_uses_a_supported_version
+  # EKS clusters must be version 1.28 or higher
+  eks_cluster_oldest_version_supported: "1.28"
+
+  # AWS CodeBuild Configuration
+  # aws.codebuild_project_no_secrets_in_variables
+  # CodeBuild sensitive variables that are excluded from the check
+  excluded_sensitive_environment_variables:
+    [
+
+    ]
+
+  # AWS ELB Configuration
+  # aws.elb_is_in_multiple_az
+  # Minimum number of Availability Zones that an CLB must be in
+  elb_min_azs: 2
+
+  # AWS ELBv2 Configuration
+  # aws.elbv2_is_in_multiple_az
+  # Minimum number of Availability Zones that an ELBv2 must be in
+  elbv2_min_azs: 2
+
+
+  # AWS Secrets Configuration
+  # Patterns to ignore in the secrets checks
+  secrets_ignore_patterns: []
+
+  # AWS Secrets Manager Configuration
+  # aws.secretsmanager_secret_unused
+  # Maximum number of days a secret can be unused
+  max_days_secret_unused: 90
+
+  # aws.secretsmanager_secret_rotated_periodically
+  # Maximum number of days a secret should be rotated
+  max_days_secret_unrotated: 90
+
+  # AWS Kinesis Configuration
+  # Minimum retention period in hours for Kinesis streams
+  min_kinesis_stream_retention_hours: 168 # 7 days
+

 # Azure Configuration
 azure:
@@ -0,0 +1,56 @@
+class ProwlerException(Exception):
+    """Base exception for all Prowler SDK errors."""
+
+    ERROR_CODES = {
+        (1901, "UnexpectedError"): {
+            "message": "Unexpected error occurred.",
+            "remediation": "Please review the error message and try again.",
+        }
+    }
+
+    def __init__(
+        self, code, source=None, file=None, original_exception=None, error_info=None
+    ):
+        """
+        Initialize the ProwlerException class.
+
+        Args:
+            code (int): The error code.
+            source (str): The source name. This can be the provider name, module name, service name, etc.
+            file (str): The file name.
+            original_exception (Exception): The original exception.
+            error_info (dict): The error information.
+
+        Example:
+            A ProwlerException is raised with the following parameters and format:
+            >>> original_exception = Exception("Error occurred.")
+            ProwlerException(1901, "AWS", "file.txt", original_exception)
+            >>> [1901] Unexpected error occurred. - Exception: Error occurred.
+        """
+        self.code = code
+        self.source = source
+        self.file = file
+        if error_info is None:
+            error_info = self.ERROR_CODES.get((code, self.__class__.__name__))
+        self.message = error_info.get("message")
+        self.remediation = error_info.get("remediation")
+        self.original_exception = original_exception
+        # Format -> [code] message - original_exception
+        if original_exception is None:
+            super().__init__(f"[{self.code}] {self.message}")
+        else:
+            super().__init__(
+                f"[{self.code}] {self.message} - {self.original_exception}"
+            )
+
+    def __str__(self):
+        """Overriding the __str__ method"""
+        default_str = f"{self.__class__.__name__}[{self.code}]: {self.message}"
+        if self.original_exception:
+            default_str += f" - {self.original_exception}"
+        return default_str
+
+
+class UnexpectedError(ProwlerException):
+    def __init__(self, source, file, original_exception=None):
+        super().__init__(1901, source, file, original_exception)
@@ -1,4 +1,3 @@
-import functools
 import importlib
 import json
 import os
@@ -6,7 +5,6 @@ import re
 import shutil
 import sys
 import traceback
-from pkgutil import walk_packages
 from types import ModuleType
 from typing import Any

@@ -15,68 +13,15 @@ from colorama import Fore, Style

 import prowler
 from prowler.config.config import orange_color
-from prowler.lib.check.compliance_models import load_compliance_framework
 from prowler.lib.check.custom_checks_metadata import update_check_metadata
-from prowler.lib.check.models import Check, load_check_metadata
+from prowler.lib.check.models import Check
+from prowler.lib.check.utils import recover_checks_from_provider
 from prowler.lib.logger import logger
 from prowler.lib.outputs.outputs import report
 from prowler.lib.utils.utils import open_file, parse_json_file, print_boxes
 from prowler.providers.common.models import Audit_Metadata


-# Load all checks metadata
-def bulk_load_checks_metadata(provider: str) -> dict:
-    bulk_check_metadata = {}
-    checks = recover_checks_from_provider(provider)
-    # Build list of check's metadata files
-    for check_info in checks:
-        # Build check path name
-        check_name = check_info[0]
-        check_path = check_info[1]
-        # Ignore fixer files
-        if check_name.endswith("_fixer"):
-            continue
-        # Append metadata file extension
-        metadata_file = f"{check_path}/{check_name}.metadata.json"
-        # Load metadata
-        check_metadata = load_check_metadata(metadata_file)
-        bulk_check_metadata[check_metadata.CheckID] = check_metadata
-
-    return bulk_check_metadata
-
-
-# Bulk load all compliance frameworks specification
-def bulk_load_compliance_frameworks(provider: str) -> dict:
-    """Bulk load all compliance frameworks specification into a dict"""
-    try:
-        bulk_compliance_frameworks = {}
-        available_compliance_framework_modules = list_compliance_modules()
-        for compliance_framework in available_compliance_framework_modules:
-            if provider in compliance_framework.name:
-                compliance_specification_dir_path = (
-                    f"{compliance_framework.module_finder.path}/{provider}"
-                )
-
-                # for compliance_framework in available_compliance_framework_modules:
-                for filename in os.listdir(compliance_specification_dir_path):
-                    file_path = os.path.join(
-                        compliance_specification_dir_path, filename
-                    )
-                    # Check if it is a file and ti size is greater than 0
-                    if os.path.isfile(file_path) and os.stat(file_path).st_size > 0:
-                        # Open Compliance file in JSON
-                        # cis_v1.4_aws.json --> cis_v1.4_aws
-                        compliance_framework_name = filename.split(".json")[0]
-                        # Store the compliance info
-                        bulk_compliance_frameworks[compliance_framework_name] = (
-                            load_compliance_framework(file_path)
-                        )
-    except Exception as e:
-        logger.error(f"{e.__class__.__name__}[{e.__traceback__.tb_lineno}] -- {e}")
-
-    return bulk_compliance_frameworks
-
-
 # Exclude checks to run
 def exclude_checks_to_run(checks_to_execute: set, excluded_checks: list) -> set:
    for check in excluded_checks:
@@ -328,7 +273,7 @@ def print_checks(
    for check in check_list:
        try:
            print(
-                f"[{bulk_checks_metadata[check].CheckID}] {bulk_checks_metadata[check].CheckTitle} - {Fore.MAGENTA}{bulk_checks_metadata[check].ServiceName} {Fore.YELLOW}[{bulk_checks_metadata[check].Severity}]{Style.RESET_ALL}"
+                f"[{bulk_checks_metadata[check].CheckID}] {bulk_checks_metadata[check].CheckTitle} - {Fore.MAGENTA}{bulk_checks_metadata[check].ServiceName} {Fore.YELLOW}[{bulk_checks_metadata[check].Severity.value}]{Style.RESET_ALL}"
            )
        except KeyError as error:
            logger.error(
@@ -347,126 +292,12 @@ def print_checks(
    print(message)


-# Parse checks from compliance frameworks specification
-def parse_checks_from_compliance_framework(
-    compliance_frameworks: list, bulk_compliance_frameworks: dict
-) -> list:
-    """parse_checks_from_compliance_framework returns a set of checks from the given compliance_frameworks"""
-    checks_to_execute = set()
-    try:
-        for framework in compliance_frameworks:
-            # compliance_framework_json["Requirements"][*]["Checks"]
-            compliance_framework_checks_list = [
-                requirement.Checks
-                for requirement in bulk_compliance_frameworks[framework].Requirements
-            ]
-            # Reduce nested list into a list
-            # Pythonic functional magic
-            compliance_framework_checks = functools.reduce(
-                lambda x, y: x + y, compliance_framework_checks_list
-            )
-            # Then union this list of checks with the initial one
-            checks_to_execute = checks_to_execute.union(compliance_framework_checks)
-    except Exception as e:
-        logger.error(f"{e.__class__.__name__}[{e.__traceback__.tb_lineno}] -- {e}")
-
-    return checks_to_execute
-
-
-def recover_checks_from_provider(
-    provider: str, service: str = None, include_fixers: bool = False
-) -> list[tuple]:
-    """
-    Recover all checks from the selected provider and service
-
-    Returns a list of tuples with the following format (check_name, check_path)
-    """
-    try:
-        checks = []
-        modules = list_modules(provider, service)
-        for module_name in modules:
-            # Format: "prowler.providers.{provider}.services.{service}.{check_name}.{check_name}"
-            check_module_name = module_name.name
-            # We need to exclude common shared libraries in services
-            if (
-                check_module_name.count(".") == 6
-                and "lib" not in check_module_name
-                and (not check_module_name.endswith("_fixer") or include_fixers)
-            ):
-                check_path = module_name.module_finder.path
-                # Check name is the last part of the check_module_name
-                check_name = check_module_name.split(".")[-1]
-                check_info = (check_name, check_path)
-                checks.append(check_info)
-    except ModuleNotFoundError:
-        logger.critical(f"Service {service} was not found for the {provider} provider.")
-        sys.exit(1)
-    except Exception as e:
-        logger.critical(f"{e.__class__.__name__}[{e.__traceback__.tb_lineno}]: {e}")
-        sys.exit(1)
-    else:
-        return checks
-
-
-def list_compliance_modules():
-    """
-    list_compliance_modules returns the available compliance frameworks and returns their path
-    """
-    # This module path requires the full path including "prowler."
-    module_path = "prowler.compliance"
-    return walk_packages(
-        importlib.import_module(module_path).__path__,
-        importlib.import_module(module_path).__name__ + ".",
-    )
-
-
-# List all available modules in the selected provider and service
-def list_modules(provider: str, service: str):
-    # This module path requires the full path including "prowler."
-    module_path = f"prowler.providers.{provider}.services"
-    if service:
-        module_path += f".{service}"
-    return walk_packages(
-        importlib.import_module(module_path).__path__,
-        importlib.import_module(module_path).__name__ + ".",
-    )
-
-
 # Import an input check using its path
 def import_check(check_path: str) -> ModuleType:
    lib = importlib.import_module(f"{check_path}")
    return lib


-def run_check(check: Check, verbose: bool = False, only_logs: bool = False) -> list:
-    """
-    Run the check and return the findings
-    Args:
-        check (Check): check class
-        output_options (Any): output options
-    Returns:
-        list: list of findings
-    """
-    findings = []
-    if verbose:
-        print(
-            f"\nCheck ID: {check.CheckID} - {Fore.MAGENTA}{check.ServiceName}{Fore.YELLOW} [{check.Severity}]{Style.RESET_ALL}"
-        )
-    logger.debug(f"Executing check: {check.CheckID}")
-    try:
-        findings = check.execute()
-    except Exception as error:
-        if not only_logs:
-            print(
-                f"Something went wrong in {check.CheckID}, please use --log-level ERROR"
-            )
-        logger.error(
-            f"{check.CheckID} -- {error.__class__.__name__}[{traceback.extract_tb(error.__traceback__)[-1].lineno}]: {error}"
-        )
-    finally:
-        return findings
-
-
 def run_fixer(check_findings: list) -> int:
    """
    Run the fixer for the check if it exists and there are any FAIL findings
@@ -548,6 +379,7 @@ def execute_checks(
    global_provider: Any,
    custom_checks_metadata: Any,
    config_file: str,
+    output_options: Any,
 ) -> list:
    # List to store all the check's findings
    all_findings = []
@@ -583,22 +415,51 @@ def execute_checks(
                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
            )

+    # Set verbose flag
+    verbose = False
+    if hasattr(output_options, "verbose"):
+        verbose = output_options.verbose
+    elif hasattr(output_options, "fixer"):
+        verbose = output_options.fixer
+
    # Execution with the --only-logs flag
-    if global_provider.output_options.only_logs:
+    if output_options.only_logs:
        for check_name in checks_to_execute:
            # Recover service from check name
            service = check_name.split("_")[0]
            try:
+                try:
+                    # Import check module
+                    check_module_path = f"prowler.providers.{global_provider.type}.services.{service}.{check_name}.{check_name}"
+                    lib = import_check(check_module_path)
+                    # Recover functions from check
+                    check_to_execute = getattr(lib, check_name)
+                    check = check_to_execute()
+                except ModuleNotFoundError:
+                    logger.error(
+                        f"Check '{check_name}' was not found for the {global_provider.type.upper()} provider"
+                    )
+                    continue
+                if verbose:
+                    print(
+                        f"\nCheck ID: {check.CheckID} - {Fore.MAGENTA}{check.ServiceName}{Fore.YELLOW} [{check.Severity.value}]{Style.RESET_ALL}"
+                    )
                check_findings = execute(
-                    service,
-                    check_name,
+                    check,
                    global_provider,
-                    services_executed,
-                    checks_executed,
                    custom_checks_metadata,
+                    output_options,
                )
+                report(check_findings, global_provider, output_options)
                all_findings.extend(check_findings)

+                # Update Audit Status
+                services_executed.add(service)
+                checks_executed.add(check_name)
+                global_provider.audit_metadata = update_audit_metadata(
+                    global_provider.audit_metadata, services_executed, checks_executed
+                )
+
            # If check does not exists in the provider or is from another provider
            except ModuleNotFoundError:
                logger.error(
@@ -647,15 +508,39 @@ def execute_checks(
                    f"-> Scanning {orange_color}{service}{Style.RESET_ALL} service"
                )
                try:
+                    try:
+                        # Import check module
+                        check_module_path = f"prowler.providers.{global_provider.type}.services.{service}.{check_name}.{check_name}"
+                        lib = import_check(check_module_path)
+                        # Recover functions from check
+                        check_to_execute = getattr(lib, check_name)
+                        check = check_to_execute()
+                    except ModuleNotFoundError:
+                        logger.error(
+                            f"Check '{check_name}' was not found for the {global_provider.type.upper()} provider"
+                        )
+                        continue
+                    if verbose:
+                        print(
+                            f"\nCheck ID: {check.CheckID} - {Fore.MAGENTA}{check.ServiceName}{Fore.YELLOW} [{check.Severity.value}]{Style.RESET_ALL}"
+                        )
                    check_findings = execute(
-                        service,
-                        check_name,
+                        check,
                        global_provider,
+                        custom_checks_metadata,
+                        output_options,
+                    )
+
+                    report(check_findings, global_provider, output_options)
+
+                    all_findings.extend(check_findings)
+                    services_executed.add(service)
+                    checks_executed.add(check_name)
+                    global_provider.audit_metadata = update_audit_metadata(
+                        global_provider.audit_metadata,
                        services_executed,
                        checks_executed,
-                        custom_checks_metadata,
                    )
-                    all_findings.extend(check_findings)

                # If check does not exists in the provider or is from another provider
                except ModuleNotFoundError:
@@ -670,52 +555,79 @@ def execute_checks(
                    )
                bar()
            bar.title = f"-> {Fore.GREEN}Scan completed!{Style.RESET_ALL}"
+
+    # Custom report interface
+    if os.environ.get("PROWLER_REPORT_LIB_PATH"):
+        try:
+            logger.info("Using custom report interface ...")
+            lib = os.environ["PROWLER_REPORT_LIB_PATH"]
+            outputs_module = importlib.import_module(lib)
+            custom_report_interface = getattr(outputs_module, "report")
+
+            # TODO: review this call and see if we can remove the global_provider.output_options since it is contained in the global_provider
+            custom_report_interface(check_findings, output_options, global_provider)
+        except Exception:
+            sys.exit(1)
+
    return all_findings


 def execute(
-    service: str,
-    check_name: str,
+    check: Check,
    global_provider: Any,
-    services_executed: set,
-    checks_executed: set,
    custom_checks_metadata: Any,
+    output_options: Any = None,
 ):
-    try:
-        # Import check module
-        check_module_path = f"prowler.providers.{global_provider.type}.services.{service}.{check_name}.{check_name}"
-        lib = import_check(check_module_path)
-        # Recover functions from check
-        check_to_execute = getattr(lib, check_name)
-        check_class = check_to_execute()
+    """
+    Execute the check and report the findings

+    Args:
+        service (str): service name
+        check_name (str): check name
+        global_provider (Any): provider object
+        custom_checks_metadata (Any): custom checks metadata
+        output_options (Any): output options, depending on the provider
+
+    Returns:
+        list: list of findings
+    """
+    try:
        # Update check metadata to reflect that in the outputs
        if custom_checks_metadata and custom_checks_metadata["Checks"].get(
-            check_class.CheckID
+            check.CheckID
        ):
-            check_class = update_check_metadata(
-                check_class, custom_checks_metadata["Checks"][check_class.CheckID]
+            check = update_check_metadata(
+                check, custom_checks_metadata["Checks"][check.CheckID]
            )

-        # Run check
-        verbose = (
-            global_provider.output_options.verbose
-            or global_provider.output_options.fixer
-        )
-        check_findings = run_check(
-            check_class, verbose, global_provider.output_options.only_logs
-        )
+        only_logs = False
+        if hasattr(output_options, "only_logs"):
+            only_logs = output_options.only_logs

-        # Update Audit Status
-        services_executed.add(service)
-        checks_executed.add(check_name)
-        global_provider.audit_metadata = update_audit_metadata(
-            global_provider.audit_metadata, services_executed, checks_executed
-        )
+        # Execute the check
+        check_findings = []
+        logger.debug(f"Executing check: {check.CheckID}")
+        try:
+            check_findings = check.execute()
+        except Exception as error:
+            if not only_logs:
+                print(
+                    f"Something went wrong in {check.CheckID}, please use --log-level ERROR"
+                )
+            logger.error(
+                f"{check.CheckID} -- {error.__class__.__name__}[{traceback.extract_tb(error.__traceback__)[-1].lineno}]: {error}"
+            )

-        # Mutelist findings
+        # Exclude findings per status
+        if hasattr(output_options, "status") and output_options.status:
+            check_findings = [
+                finding
+                for finding in check_findings
+                if finding.status in output_options.status
+            ]
+
+        # Before returning the findings, we need to apply the mute list logic
        if hasattr(global_provider, "mutelist") and global_provider.mutelist.mutelist:
-            # TODO: make this prettier
            is_finding_muted_args = {}
            if global_provider.type == "aws":
                is_finding_muted_args["aws_account_id"] = (
@@ -730,27 +642,9 @@ def execute(
                    **is_finding_muted_args
                )

-        # Refactor(Outputs)
-        # Report the check's findings
-        report(check_findings, global_provider)
-
-        # Refactor(Outputs)
-        if os.environ.get("PROWLER_REPORT_LIB_PATH"):
-            try:
-                logger.info("Using custom report interface ...")
-                lib = os.environ["PROWLER_REPORT_LIB_PATH"]
-                outputs_module = importlib.import_module(lib)
-                custom_report_interface = getattr(outputs_module, "report")
-
-                # TODO: review this call and see if we can remove the global_provider.output_options since it is contained in the global_provider
-                custom_report_interface(
-                    check_findings, global_provider.output_options, global_provider
-                )
-            except Exception:
-                sys.exit(1)
    except ModuleNotFoundError:
        logger.error(
-            f"Check '{check_name}' was not found for the {global_provider.type.upper()} provider"
+            f"Check '{check.CheckID}' was not found for the {global_provider.type.upper()} provider"
        )
        check_findings = []
    except Exception as error:
@@ -780,34 +674,3 @@ def update_audit_metadata(
        logger.error(
            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
        )
-
-
-def recover_checks_from_service(service_list: list, provider: str) -> set:
-    """
-    Recover all checks from the selected provider and service
-
-    Returns a set of checks from the given services
-    """
-    try:
-        checks = set()
-        service_list = [
-            "awslambda" if service == "lambda" else service for service in service_list
-        ]
-        for service in service_list:
-            service_checks = recover_checks_from_provider(provider, service)
-            if not service_checks:
-                logger.error(f"Service '{service}' does not have checks.")
-
-            else:
-                for check in service_checks:
-                    # Recover check name and module name from import path
-                    # Format: "providers.{provider}.services.{service}.{check_name}.{check_name}"
-                    check_name = check[0].split(".")[-1]
-                    # If the service is present in the group list passed as parameters
-                    # if service_name in group_list: checks_from_arn.add(check_name)
-                    checks.add(check_name)
-        return checks
-    except Exception as error:
-        logger.error(
-            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
-        )
@@ -1,35 +1,33 @@
 from colorama import Fore, Style

-from prowler.config.config import valid_severities
-from prowler.lib.check.check import (
-    parse_checks_from_compliance_framework,
-    parse_checks_from_file,
-    recover_checks_from_provider,
-    recover_checks_from_service,
-)
+from prowler.lib.check.check import parse_checks_from_file
+from prowler.lib.check.compliance_models import Compliance
+from prowler.lib.check.models import CheckMetadata, Severity
 from prowler.lib.logger import logger


 # Generate the list of checks to execute
 def load_checks_to_execute(
-    bulk_checks_metadata: dict,
-    bulk_compliance_frameworks: dict,
-    checks_file: str,
-    check_list: list,
-    service_list: list,
-    severities: list,
-    compliance_frameworks: list,
-    categories: set,
    provider: str,
+    bulk_checks_metadata: dict = None,
+    bulk_compliance_frameworks: dict = None,
+    checks_file: str = None,
+    check_list: list = None,
+    service_list: list = None,
+    severities: list = None,
+    compliance_frameworks: list = None,
+    categories: set = None,
 ) -> set:
    """Generate the list of checks to execute based on the cloud provider and the input arguments given"""
    try:
        # Local subsets
        checks_to_execute = set()
        check_aliases = {}
-        check_severities = {key: [] for key in valid_severities}
        check_categories = {}
+        check_severities = {severity.value: [] for severity in Severity}

+        if not bulk_checks_metadata:
+            bulk_checks_metadata = CheckMetadata.get_bulk(provider=provider)
        # First, loop over the bulk_checks_metadata to extract the needed subsets
        for check, metadata in bulk_checks_metadata.items():
            try:
@@ -64,24 +62,41 @@ def load_checks_to_execute(
                checks_to_execute.update(check_severities[severity])

            if service_list:
-                checks_to_execute = (
-                    recover_checks_from_service(service_list, provider)
-                    & checks_to_execute
-                )
-
+                for service in service_list:
+                    checks_to_execute = (
+                        set(
+                            CheckMetadata.list(
+                                bulk_checks_metadata=bulk_checks_metadata,
+                                service=service,
+                            )
+                        )
+                        & checks_to_execute
+                    )
        # Handle if there are checks passed using -C/--checks-file
        elif checks_file:
            checks_to_execute = parse_checks_from_file(checks_file, provider)

        # Handle if there are services passed using -s/--services
        elif service_list:
-            checks_to_execute = recover_checks_from_service(service_list, provider)
+            for service in service_list:
+                checks_to_execute.update(
+                    CheckMetadata.list(
+                        bulk_checks_metadata=bulk_checks_metadata,
+                        service=service,
+                    )
+                )

        # Handle if there are compliance frameworks passed using --compliance
        elif compliance_frameworks:
-            checks_to_execute = parse_checks_from_compliance_framework(
-                compliance_frameworks, bulk_compliance_frameworks
-            )
+            if not bulk_compliance_frameworks:
+                bulk_compliance_frameworks = Compliance.get_bulk(provider=provider)
+            for compliance_framework in compliance_frameworks:
+                checks_to_execute.update(
+                    CheckMetadata.list(
+                        bulk_compliance_frameworks=bulk_compliance_frameworks,
+                        compliance_framework=compliance_framework,
+                    )
+                )

        # Handle if there are categories passed using --categories
        elif categories:
@@ -90,17 +105,13 @@ def load_checks_to_execute(

        # If there are no checks passed as argument
        else:
-            # Get all check modules to run with the specific provider
-            checks = recover_checks_from_provider(provider)
-
-            for check_info in checks:
-                # Recover check name from import path (last part)
-                # Format: "providers.{provider}.services.{service}.{check_name}.{check_name}"
-                check_name = check_info[0]
+            # get all checks
+            for check_name in CheckMetadata.list(
+                bulk_checks_metadata=bulk_checks_metadata
+            ):
                checks_to_execute.add(check_name)
-
        # Only execute threat detection checks if threat-detection category is set
-        if "threat-detection" not in categories:
+        if not categories or "threat-detection" not in categories:
            for threat_detection_check in check_categories.get("threat-detection", []):
                checks_to_execute.discard(threat_detection_check)

@@ -1,6 +1,6 @@
 import sys

-from prowler.lib.check.compliance_models import ComplianceBaseModel
+from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.logger import logger


@@ -26,8 +26,8 @@ def update_checks_metadata_with_compliance(
                    if check in requirement.Checks:
                        # Include the requirement into the check's framework requirements
                        compliance_requirements.append(requirement)
-                        # Create the Compliance_Model
-                        compliance = ComplianceBaseModel(
+                        # Create the Compliance
+                        compliance = Compliance(
                            Framework=framework.Framework,
                            Provider=framework.Provider,
                            Version=framework.Version,
@@ -1,9 +1,11 @@
+import os
 import sys
 from enum import Enum
 from typing import Optional, Union

 from pydantic import BaseModel, ValidationError, root_validator

+from prowler.lib.check.utils import list_compliance_modules
 from prowler.lib.logger import logger


@@ -81,6 +83,7 @@ class CIS_Requirement_Attribute(BaseModel):
    """CIS Requirement Attribute"""

    Section: str
+    SubSection: Optional[str]
    Profile: CIS_Requirement_Attribute_Profile
    AssessmentStatus: CIS_Requirement_Attribute_AssessmentStatus
    Description: str
@@ -167,6 +170,19 @@ class Mitre_Requirement(BaseModel):
    Checks: list[str]


+# KISA-ISMS-P Requirement Attribute
+class KISA_ISMSP_Requirement_Attribute(BaseModel):
+    """KISA ISMS-P Requirement Attribute"""
+
+    Domain: str
+    Subdomain: str
+    Section: str
+    AuditChecklist: Optional[list[str]]
+    RelatedRegulations: Optional[list[str]]
+    AuditEvidence: Optional[list[str]]
+    NonComplianceCases: Optional[list[str]]
+
+
 # Base Compliance Model
 # TODO: move this to compliance folder
 class Compliance_Requirement(BaseModel):
@@ -181,6 +197,7 @@ class Compliance_Requirement(BaseModel):
            ENS_Requirement_Attribute,
            ISO27001_2013_Requirement_Attribute,
            AWS_Well_Architected_Requirement_Attribute,
+            KISA_ISMSP_Requirement_Attribute,
            # Generic_Compliance_Requirement_Attribute must be the last one since it is the fallback for generic compliance framework
            Generic_Compliance_Requirement_Attribute,
        ]
@@ -188,8 +205,8 @@ class Compliance_Requirement(BaseModel):
    Checks: list[str]


-class ComplianceBaseModel(BaseModel):
-    """ComplianceBaseModel holds the base model for every compliance framework"""
+class Compliance(BaseModel):
+    """Compliance holds the base model for every compliance framework"""

    Framework: str
    Provider: str
@@ -213,16 +230,137 @@ class ComplianceBaseModel(BaseModel):
            raise ValueError("Framework or Provider must not be empty")
        return values

+    @staticmethod
+    def list(bulk_compliance_frameworks: dict, provider: str = None) -> list[str]:
+        """
+        Returns a list of compliance frameworks from bulk compliance frameworks
+
+        Args:
+            bulk_compliance_frameworks (dict): The bulk compliance frameworks
+            provider (str): The provider name
+
+        Returns:
+            list: The list of compliance frameworks
+        """
+        if provider:
+            compliance_frameworks = [
+                compliance_framework
+                for compliance_framework in bulk_compliance_frameworks.keys()
+                if provider in compliance_framework
+            ]
+        else:
+            compliance_frameworks = [
+                compliance_framework
+                for compliance_framework in bulk_compliance_frameworks.keys()
+            ]
+
+        return compliance_frameworks
+
+    @staticmethod
+    def get(
+        bulk_compliance_frameworks: dict, compliance_framework_name: str
+    ) -> "Compliance":
+        """
+        Returns a compliance framework from bulk compliance frameworks
+
+        Args:
+            bulk_compliance_frameworks (dict): The bulk compliance frameworks
+            compliance_framework_name (str): The compliance framework name
+
+        Returns:
+            Compliance: The compliance framework
+        """
+        return bulk_compliance_frameworks.get(compliance_framework_name, None)
+
+    @staticmethod
+    def list_requirements(
+        bulk_compliance_frameworks: dict, compliance_framework: str = None
+    ) -> list:
+        """
+        Returns a list of compliance requirements from a compliance framework
+
+        Args:
+            bulk_compliance_frameworks (dict): The bulk compliance frameworks
+            compliance_framework (str): The compliance framework name
+
+        Returns:
+            list: The list of compliance requirements for the provided compliance framework
+        """
+        compliance_requirements = []
+
+        if bulk_compliance_frameworks and compliance_framework:
+            compliance_requirements = [
+                compliance_requirement.Id
+                for compliance_requirement in bulk_compliance_frameworks.get(
+                    compliance_framework
+                ).Requirements
+            ]
+
+        return compliance_requirements
+
+    @staticmethod
+    def get_requirement(
+        bulk_compliance_frameworks: dict, compliance_framework: str, requirement_id: str
+    ) -> Union[Mitre_Requirement, Compliance_Requirement]:
+        """
+        Returns a compliance requirement from a compliance framework
+
+        Args:
+            bulk_compliance_frameworks (dict): The bulk compliance frameworks
+            compliance_framework (str): The compliance framework name
+            requirement_id (str): The compliance requirement ID
+
+        Returns:
+            Mitre_Requirement | Compliance_Requirement: The compliance requirement
+        """
+        requirement = None
+        for compliance_requirement in bulk_compliance_frameworks.get(
+            compliance_framework
+        ).Requirements:
+            if compliance_requirement.Id == requirement_id:
+                requirement = compliance_requirement
+                break
+
+        return requirement
+
+    @staticmethod
+    def get_bulk(provider: str) -> dict:
+        """Bulk load all compliance frameworks specification into a dict"""
+        try:
+            bulk_compliance_frameworks = {}
+            available_compliance_framework_modules = list_compliance_modules()
+            for compliance_framework in available_compliance_framework_modules:
+                if provider in compliance_framework.name:
+                    compliance_specification_dir_path = (
+                        f"{compliance_framework.module_finder.path}/{provider}"
+                    )
+                    # for compliance_framework in available_compliance_framework_modules:
+                    for filename in os.listdir(compliance_specification_dir_path):
+                        file_path = os.path.join(
+                            compliance_specification_dir_path, filename
+                        )
+                        # Check if it is a file and ti size is greater than 0
+                        if os.path.isfile(file_path) and os.stat(file_path).st_size > 0:
+                            # Open Compliance file in JSON
+                            # cis_v1.4_aws.json --> cis_v1.4_aws
+                            compliance_framework_name = filename.split(".json")[0]
+                            # Store the compliance info
+                            bulk_compliance_frameworks[compliance_framework_name] = (
+                                load_compliance_framework(file_path)
+                            )
+        except Exception as e:
+            logger.error(f"{e.__class__.__name__}[{e.__traceback__.tb_lineno}] -- {e}")
+
+        return bulk_compliance_frameworks
+

 # Testing Pending
 def load_compliance_framework(
    compliance_specification_file: str,
-) -> ComplianceBaseModel:
+) -> Compliance:
    """load_compliance_framework loads and parse a Compliance Framework Specification"""
    try:
-        compliance_framework = ComplianceBaseModel.parse_file(
-            compliance_specification_file
-        )
+        compliance_framework = Compliance.parse_file(compliance_specification_file)
    except ValidationError as error:
        logger.critical(
            f"Compliance Framework Specification from {compliance_specification_file} is not valid: {error}"
@@ -3,7 +3,7 @@ import sys
 import yaml
 from jsonschema import validate

-from prowler.config.config import valid_severities
+from prowler.lib.check.models import Severity
 from prowler.lib.logger import logger

 custom_checks_metadata_schema = {
@@ -17,7 +17,7 @@ custom_checks_metadata_schema = {
                    "properties": {
                        "Severity": {
                            "type": "string",
-                            "enum": valid_severities,
+                            "enum": [severity.value for severity in Severity],
                        },
                        "CheckTitle": {
                            "type": "string",
@@ -1,17 +1,30 @@
+import functools
 import os
 import re
 import sys
 from abc import ABC, abstractmethod
 from dataclasses import dataclass
+from enum import Enum
+from typing import Set

 from pydantic import BaseModel, ValidationError, validator

-from prowler.config.config import valid_severities
+from prowler.config.config import Provider
+from prowler.lib.check.compliance_models import Compliance
+from prowler.lib.check.utils import recover_checks_from_provider
 from prowler.lib.logger import logger


 class Code(BaseModel):
-    """Check's remediation information using IaC like CloudFormation, Terraform or the native CLI"""
+    """
+    Represents the remediation code using IaC like CloudFormation, Terraform or the native CLI.
+
+    Attributes:
+        NativeIaC (str): The NativeIaC code.
+        Terraform (str): The Terraform code.
+        CLI (str): The CLI code.
+        Other (str): Other code.
+    """

    NativeIaC: str
    Terraform: str
@@ -20,21 +33,69 @@ class Code(BaseModel):


 class Recommendation(BaseModel):
-    """Check's recommendation information"""
+    """
+    Represents a recommendation.
+
+    Attributes:
+        Text (str): The text of the recommendation.
+        Url (str): The URL associated with the recommendation.
+    """

    Text: str
    Url: str


 class Remediation(BaseModel):
-    """Check's remediation: Code and Recommendation"""
+    """
+    Represents a remediation action for a specific .
+
+    Attributes:
+        Code (Code): The code associated with the remediation action.
+        Recommendation (Recommendation): The recommendation for the remediation action.
+    """

    Code: Code
    Recommendation: Recommendation


-class Check_Metadata_Model(BaseModel):
-    """Check Metadata Model"""
+class Severity(str, Enum):
+    critical = "critical"
+    high = "high"
+    medium = "medium"
+    low = "low"
+    informational = "informational"
+
+
+class CheckMetadata(BaseModel):
+    """
+    Model representing the metadata of a check.
+
+    Attributes:
+        Provider (str): The provider of the check.
+        CheckID (str): The ID of the check.
+        CheckTitle (str): The title of the check.
+        CheckType (list[str]): The type of the check.
+        CheckAliases (list[str], optional): The aliases of the check. Defaults to an empty list.
+        ServiceName (str): The name of the service.
+        SubServiceName (str): The name of the sub-service.
+        ResourceIdTemplate (str): The template for the resource ID.
+        Severity (str): The severity of the check.
+        ResourceType (str): The type of the resource.
+        Description (str): The description of the check.
+        Risk (str): The risk associated with the check.
+        RelatedUrl (str): The URL related to the check.
+        Remediation (Remediation): The remediation steps for the check.
+        Categories (list[str]): The categories of the check.
+        DependsOn (list[str]): The dependencies of the check.
+        RelatedTo (list[str]): The related checks.
+        Notes (str): Additional notes for the check.
+        Compliance (list, optional): The compliance information for the check. Defaults to None.
+
+    Validators:
+        valid_category(value): Validator function to validate the categories of the check.
+        severity_to_lower(severity): Validator function to convert the severity to lowercase.
+        valid_severity(severity): Validator function to validate the severity of the check.
+    """

    Provider: str
    CheckID: str
@@ -44,7 +105,7 @@ class Check_Metadata_Model(BaseModel):
    ServiceName: str
    SubServiceName: str
    ResourceIdTemplate: str
-    Severity: str
+    Severity: Severity
    ResourceType: str
    Description: str
    Risk: str
@@ -73,16 +134,245 @@ class Check_Metadata_Model(BaseModel):
    def severity_to_lower(severity):
        return severity.lower()

-    @validator("Severity")
-    def valid_severity(severity):
-        if severity not in valid_severities:
-            raise ValueError(
-                f"Invalid severity: {severity}. Severity must be one of {', '.join(valid_severities)}"
+    @staticmethod
+    def get_bulk(provider: str) -> dict[str, "CheckMetadata"]:
+        """
+        Load the metadata of all checks for a given provider reading the check's metadata files.
+        Args:
+            provider (str): The name of the provider.
+        Returns:
+            dict[str, CheckMetadata]: A dictionary containing the metadata of all checks, with the CheckID as the key.
+        """
+
+        bulk_check_metadata = {}
+        checks = recover_checks_from_provider(provider)
+        # Build list of check's metadata files
+        for check_info in checks:
+            # Build check path name
+            check_name = check_info[0]
+            check_path = check_info[1]
+            # Ignore fixer files
+            if check_name.endswith("_fixer"):
+                continue
+            # Append metadata file extension
+            metadata_file = f"{check_path}/{check_name}.metadata.json"
+            # Load metadata
+            check_metadata = load_check_metadata(metadata_file)
+            bulk_check_metadata[check_metadata.CheckID] = check_metadata
+
+        return bulk_check_metadata
+
+    @staticmethod
+    def list(
+        bulk_checks_metadata: dict = None,
+        bulk_compliance_frameworks: dict = None,
+        provider: str = None,
+        severity: str = None,
+        category: str = None,
+        service: str = None,
+        compliance_framework: str = None,
+    ) -> Set["CheckMetadata"]:
+        """
+        Returns a set of checks from the bulk checks metadata.
+
+        Args:
+            provider (str): The provider of the checks.
+            bulk_checks_metadata (dict): The bulk checks metadata.
+            bulk_compliance_frameworks (dict): The bulk compliance frameworks.
+            severity (str): The severity of the checks.
+            category (str): The category of the checks.
+            service (str): The service of the checks.
+            compliance_framework (str): The compliance framework of the checks.
+
+        Returns:
+            set: A set of checks.
+        """
+        checks_from_provider = set()
+        checks_from_severity = set()
+        checks_from_category = set()
+        checks_from_service = set()
+        checks_from_compliance_framework = set()
+        # If the bulk checks metadata is not provided, get it
+        if not bulk_checks_metadata:
+            bulk_checks_metadata = {}
+            available_providers = [p.value for p in Provider]
+            for provider_name in available_providers:
+                bulk_checks_metadata.update(CheckMetadata.get_bulk(provider_name))
+        if provider:
+            checks_from_provider = {
+                check_name
+                for check_name, check_metadata in bulk_checks_metadata.items()
+                if check_metadata.Provider == provider
+            }
+        if severity:
+            checks_from_severity = CheckMetadata.list_by_severity(
+                bulk_checks_metadata=bulk_checks_metadata, severity=severity
            )
-        return severity
+        if category:
+            checks_from_category = CheckMetadata.list_by_category(
+                bulk_checks_metadata=bulk_checks_metadata, category=category
+            )
+        if service:
+            checks_from_service = CheckMetadata.list_by_service(
+                bulk_checks_metadata=bulk_checks_metadata, service=service
+            )
+        if compliance_framework:
+            # Loaded here, as it is not always needed
+            if not bulk_compliance_frameworks:
+                bulk_compliance_frameworks = {}
+                available_providers = [p.value for p in Provider]
+                for provider in available_providers:
+                    bulk_compliance_frameworks = Compliance.get_bulk(provider=provider)
+            checks_from_compliance_framework = (
+                CheckMetadata.list_by_compliance_framework(
+                    bulk_compliance_frameworks=bulk_compliance_frameworks,
+                    compliance_framework=compliance_framework,
+                )
+            )
+
+        # Get all the checks:
+        checks = set(bulk_checks_metadata.keys())
+        # Get the intersection of the checks
+        if len(checks_from_provider) > 0 or provider:
+            checks = checks & checks_from_provider
+        if len(checks_from_severity) > 0 or severity:
+            checks = checks & checks_from_severity
+        if len(checks_from_category) > 0 or category:
+            checks = checks & checks_from_category
+        if len(checks_from_service) > 0 or service:
+            checks = checks & checks_from_service
+        if len(checks_from_compliance_framework) > 0 or compliance_framework:
+            checks = checks & checks_from_compliance_framework
+
+        return checks
+
+    @staticmethod
+    def get(bulk_checks_metadata: dict, check_id: str) -> "CheckMetadata":
+        """
+        Returns the check metadata from the bulk checks metadata.
+
+        Args:
+            bulk_checks_metadata (dict): The bulk checks metadata.
+            check_id (str): The check ID.
+
+        Returns:
+            CheckMetadata: The check metadata.
+        """
+
+        return bulk_checks_metadata.get(check_id, None)
+
+    @staticmethod
+    def list_by_severity(bulk_checks_metadata: dict, severity: str = None) -> set:
+        """
+        Returns a set of checks by severity from the bulk checks metadata.
+
+        Args:
+            bulk_checks_metadata (dict): The bulk checks metadata.
+            severity (str): The severity.
+
+        Returns:
+            set: A set of checks by severity.
+        """
+        checks = set()
+
+        if severity:
+            checks = {
+                check_name
+                for check_name, check_metadata in bulk_checks_metadata.items()
+                if check_metadata.Severity == severity
+            }
+
+        return checks
+
+    @staticmethod
+    def list_by_category(bulk_checks_metadata: dict, category: str = None) -> set:
+        """
+        Returns a set of checks by category from the bulk checks metadata.
+
+        Args:
+            bulk_checks_metadata (dict): The bulk checks metadata.
+            category (str): The category.
+
+        Returns:
+            set: A set of checks by category.
+        """
+        checks = set()
+
+        if category:
+            checks = {
+                check_name
+                for check_name, check_metadata in bulk_checks_metadata.items()
+                if category in check_metadata.Categories
+            }
+
+        return checks
+
+    @staticmethod
+    def list_by_service(bulk_checks_metadata: dict, service: str = None) -> set:
+        """
+        Returns a set of checks by service from the bulk checks metadata.
+
+        Args:
+            bulk_checks_metadata (dict): The bulk checks metadata.
+            service (str): The service.
+
+        Returns:
+            set: A set of checks by service.
+        """
+        checks = set()
+
+        if service:
+            # This is a special case for the AWS provider since `lambda` is a reserved keyword in Python
+            if service == "awslambda":
+                service = "lambda"
+            checks = {
+                check_name
+                for check_name, check_metadata in bulk_checks_metadata.items()
+                if check_metadata.ServiceName == service
+            }
+
+        return checks
+
+    @staticmethod
+    def list_by_compliance_framework(
+        bulk_compliance_frameworks: dict, compliance_framework: str = None
+    ) -> set:
+        """
+        Returns a set of checks by compliance framework from the bulk compliance frameworks.
+
+        Args:
+            bulk_compliance_frameworks (dict): The bulk compliance frameworks.
+            compliance_framework (str): The compliance framework.
+
+        Returns:
+            set: A set of checks by compliance framework.
+        """
+        checks = set()
+
+        if compliance_framework:
+            try:
+                checks_from_framework_list = [
+                    requirement.Checks
+                    for requirement in bulk_compliance_frameworks[
+                        compliance_framework
+                    ].Requirements
+                ]
+                # Reduce nested list into a list
+                # Pythonic functional magic
+                checks_from_framework = functools.reduce(
+                    lambda x, y: x + y, checks_from_framework_list
+                )
+                # Then union this list of checks with the initial one
+                checks = checks.union(checks_from_framework)
+            except Exception as e:
+                logger.error(
+                    f"{e.__class__.__name__}[{e.__traceback__.tb_lineno}] -- {e}"
+                )
+
+        return checks


-class Check(ABC, Check_Metadata_Model):
+class Check(ABC, CheckMetadata):
    """Prowler Check"""

    def __init__(self, **data):
@@ -93,9 +383,11 @@ class Check(ABC, Check_Metadata_Model):
            + ".metadata.json"
        )
        # Store it to validate them with Pydantic
-        data = Check_Metadata_Model.parse_file(metadata_file).dict()
+        data = CheckMetadata.parse_file(metadata_file).dict()
        # Calls parents init function
        super().__init__(**data)
+        # TODO: verify that the CheckID is the same as the filename and classname
+        # to mimic the test done at test_<provider>_checks_metadata_is_valid

    def metadata(self) -> dict:
        """Return the JSON representation of the check's metadata"""
@@ -112,14 +404,14 @@ class Check_Report:

    status: str
    status_extended: str
-    check_metadata: Check_Metadata_Model
+    check_metadata: CheckMetadata
    resource_details: str
    resource_tags: list
    muted: bool

    def __init__(self, metadata):
        self.status = ""
-        self.check_metadata = Check_Metadata_Model.parse_raw(metadata)
+        self.check_metadata = CheckMetadata.parse_raw(metadata)
        self.status_extended = ""
        self.resource_details = ""
        self.resource_tags = []
@@ -192,12 +484,22 @@ class Check_Report_Kubernetes(Check_Report):


 # Testing Pending
-def load_check_metadata(metadata_file: str) -> Check_Metadata_Model:
-    """load_check_metadata loads and parse a Check's metadata file"""
+def load_check_metadata(metadata_file: str) -> CheckMetadata:
+    """
+    Load check metadata from a file.
+    Args:
+        metadata_file (str): The path to the metadata file.
+    Returns:
+        CheckMetadata: The loaded check metadata.
+    Raises:
+        ValidationError: If the metadata file is not valid.
+    """
+
    try:
-        check_metadata = Check_Metadata_Model.parse_file(metadata_file)
+        check_metadata = CheckMetadata.parse_file(metadata_file)
    except ValidationError as error:
        logger.critical(f"Metadata from {metadata_file} is not valid: {error}")
+        # TODO: remove this exit and raise an exception
        sys.exit(1)
    else:
        return check_metadata
@@ -0,0 +1,95 @@
+import importlib
+import sys
+from pkgutil import walk_packages
+
+from prowler.lib.logger import logger
+
+
+def recover_checks_from_provider(
+    provider: str, service: str = None, include_fixers: bool = False
+) -> list[tuple]:
+    """
+    Recover all checks from the selected provider and service
+
+    Returns a list of tuples with the following format (check_name, check_path)
+    """
+    try:
+        checks = []
+        modules = list_modules(provider, service)
+        for module_name in modules:
+            # Format: "prowler.providers.{provider}.services.{service}.{check_name}.{check_name}"
+            check_module_name = module_name.name
+            # We need to exclude common shared libraries in services
+            if (
+                check_module_name.count(".") == 6
+                and "lib" not in check_module_name
+                and (not check_module_name.endswith("_fixer") or include_fixers)
+            ):
+                check_path = module_name.module_finder.path
+                # Check name is the last part of the check_module_name
+                check_name = check_module_name.split(".")[-1]
+                check_info = (check_name, check_path)
+                checks.append(check_info)
+    except ModuleNotFoundError:
+        logger.critical(f"Service {service} was not found for the {provider} provider.")
+        sys.exit(1)
+    except Exception as e:
+        logger.critical(f"{e.__class__.__name__}[{e.__traceback__.tb_lineno}]: {e}")
+        sys.exit(1)
+    else:
+        return checks
+
+
+# List all available modules in the selected provider and service
+def list_modules(provider: str, service: str):
+    # This module path requires the full path including "prowler."
+    module_path = f"prowler.providers.{provider}.services"
+    if service:
+        module_path += f".{service}"
+    return walk_packages(
+        importlib.import_module(module_path).__path__,
+        importlib.import_module(module_path).__name__ + ".",
+    )
+
+
+def recover_checks_from_service(service_list: list, provider: str) -> set:
+    """
+    Recover all checks from the selected provider and service
+
+    Returns a set of checks from the given services
+    """
+    try:
+        checks = set()
+        service_list = [
+            "awslambda" if service == "lambda" else service for service in service_list
+        ]
+        for service in service_list:
+            service_checks = recover_checks_from_provider(provider, service)
+            if not service_checks:
+                logger.error(f"Service '{service}' does not have checks.")
+
+            else:
+                for check in service_checks:
+                    # Recover check name and module name from import path
+                    # Format: "providers.{provider}.services.{service}.{check_name}.{check_name}"
+                    check_name = check[0].split(".")[-1]
+                    # If the service is present in the group list passed as parameters
+                    # if service_name in group_list: checks_from_arn.add(check_name)
+                    checks.add(check_name)
+        return checks
+    except Exception as error:
+        logger.error(
+            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+        )
+
+
+def list_compliance_modules():
+    """
+    list_compliance_modules returns the available compliance frameworks and returns their path
+    """
+    # This module path requires the full path including "prowler."
+    module_path = "prowler.compliance"
+    return walk_packages(
+        importlib.import_module(module_path).__path__,
+        importlib.import_module(module_path).__name__ + ".",
+    )
@@ -10,9 +10,9 @@ from prowler.config.config import (
    default_config_file_path,
    default_fixer_config_file_path,
    default_output_directory,
-    finding_statuses,
-    valid_severities,
 )
+from prowler.lib.check.models import Severity
+from prowler.lib.outputs.common import Status
 from prowler.providers.common.arguments import (
    init_providers_parser,
    validate_provider_arguments,
@@ -138,8 +138,8 @@ Detailed documentation at https://docs.prowler.com
        common_outputs_parser.add_argument(
            "--status",
            nargs="+",
-            help=f"Filter by the status of the findings {finding_statuses}",
-            choices=finding_statuses,
+            help=f"Filter by the status of the findings {[status.value for status in Status]}",
+            choices=[status.value for status in Status],
        )
        common_outputs_parser.add_argument(
            "--output-formats",
@@ -177,6 +177,12 @@ Detailed documentation at https://docs.prowler.com
        common_outputs_parser.add_argument(
            "--no-banner", "-b", action="store_true", help="Hide Prowler banner"
        )
+        common_outputs_parser.add_argument(
+            "--no-color",
+            action="store_true",
+            help="Disable color codes in output",
+        )
+
        common_outputs_parser.add_argument(
            "--unix-timestamp",
            action="store_true",
@@ -257,8 +263,8 @@ Detailed documentation at https://docs.prowler.com
            "--severity",
            "--severities",
            nargs="+",
-            help=f"Severities to be executed {valid_severities}",
-            choices=valid_severities,
+            help=f"Severities to be executed {[severity.value for severity in Severity]}",
+            choices=[severity.value for severity in Severity],
        )
        group.add_argument(
            "--compliance",
@@ -5,9 +5,31 @@ import yaml

 from prowler.lib.logger import logger
 from prowler.lib.mutelist.models import mutelist_schema
+from prowler.lib.outputs.common import Status
+from prowler.lib.outputs.utils import unroll_dict, unroll_tags


 class Mutelist(ABC):
+    """
+    Abstract base class for managing a mutelist.
+
+    Attributes:
+        _mutelist (dict): Dictionary containing information about muted checks for different accounts.
+        _mutelist_file_path (str): Path to the mutelist file.
+        MUTELIST_KEY (str): Key used to access the mutelist in the mutelist file.
+
+    Methods:
+        __init__: Initializes a Mutelist object.
+        mutelist: Property that returns the mutelist dictionary.
+        mutelist_file_path: Property that returns the mutelist file path.
+        is_finding_muted: Abstract method to check if a finding is muted.
+        get_mutelist_file_from_local_file: Retrieves the mutelist file from a local file.
+        validate_mutelist: Validates the mutelist against a schema.
+        is_muted: Checks if a finding is muted for the audited account, check, region, resource, and tags.
+        is_muted_in_check: Checks if a check is muted.
+        is_excepted: Checks if the account, region, resource, and tags are excepted based on the exceptions.
+    """
+
    _mutelist: dict = {}
    _mutelist_file_path: str = None

@@ -68,6 +90,25 @@ class Mutelist(ABC):
        """
        Check if the provided finding is muted for the audited account, check, region, resource and tags.

+        The Mutelist works in a way that each field is ANDed, so if a check is muted for an account, region, resource and tags, it will be muted.
+        The exceptions are ORed, so if a check is excepted for an account, region, resource or tags, it will not be muted.
+        The only particularity is the tags, which are ORed.
+
+        So, for the following Mutelist:
+        ```
+        Mutelist:
+            Accounts:
+                '*':
+                Checks:
+                    ec2_instance_detailed_monitoring_enabled:
+                        Regions: ['*']
+                        Resources:
+                            - 'i-123456789'
+                        Tags:
+                            - 'Name=AdminInstance | Environment=Prod'
+        ```
+        The check `ec2_instance_detailed_monitoring_enabled` will be muted for all accounts and regions and for the resource_id 'i-123456789' with at least one of the tags 'Name=AdminInstance' or 'Environment=Prod'.
+
        Args:
            mutelist (dict): Dictionary containing information about muted checks for different accounts.
            audited_account (str): The account being audited.
@@ -172,7 +213,9 @@ class Mutelist(ABC):
                    muted_in_resource = self.is_item_matched(
                        muted_resources, finding_resource
                    )
-                    muted_in_tags = self.is_item_matched(muted_tags, finding_tags)
+                    muted_in_tags = self.is_item_matched(
+                        muted_tags, finding_tags, tag=True
+                    )

                    # For a finding to be muted requires the following set to True:
                    # - muted_in_check -> True
@@ -196,6 +239,35 @@ class Mutelist(ABC):
            )
            return False

+    def mute_finding(self, finding):
+        """
+        Check if the provided finding is muted
+
+        Args:
+            finding (Finding): The finding to be evaluated for muting.
+
+        Returns:
+            Finding: The finding with the status updated if it is muted, otherwise the finding is returned
+
+        """
+        try:
+            if self.is_muted(
+                finding.account_uid,
+                finding.metadata.CheckID,
+                finding.region,
+                finding.resource_uid,
+                unroll_dict(unroll_tags(finding.resource_tags)),
+            ):
+                finding.raw["status"] = finding.status
+                finding.status = Status.MUTED
+                finding.muted = True
+            return finding
+        except Exception as error:
+            logger.error(
+                f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
+            )
+            return finding
+
    def is_excepted(
        self,
        exceptions,
@@ -240,7 +312,9 @@ class Mutelist(ABC):
                )

                excepted_tags = exceptions.get("Tags", [])
-                is_tag_excepted = self.is_item_matched(excepted_tags, finding_tags)
+                is_tag_excepted = self.is_item_matched(
+                    excepted_tags, finding_tags, tag=True
+                )

                if (
                    not is_account_excepted
@@ -264,13 +338,16 @@ class Mutelist(ABC):
            return False

    @staticmethod
-    def is_item_matched(matched_items, finding_items):
+    def is_item_matched(matched_items, finding_items, tag=False) -> bool:
        """
        Check if any of the items in matched_items are present in finding_items.

        Args:
            matched_items (list): List of items to be matched.
            finding_items (str): String to search for matched items.
+            tag (bool): If True the search will have a different logic due to the tags being ANDed or ORed:
+                - Check of AND logic -> True if all the tags are present in the finding.
+                - Check of OR logic -> True if any of the tags is present in the finding.

        Returns:
            bool: True if any of the matched_items are present in finding_items, otherwise False.
@@ -278,12 +355,19 @@ class Mutelist(ABC):
        try:
            is_item_matched = False
            if matched_items and (finding_items or finding_items == ""):
+                if tag:
+                    is_item_matched = True
                for item in matched_items:
                    if item.startswith("*"):
                        item = ".*" + item[1:]
-                    if re.match(item, finding_items):
-                        is_item_matched = True
-                        break
+                    if tag:
+                        if not re.search(item, finding_items):
+                            is_item_matched = False
+                            break
+                    else:
+                        if re.search(item, finding_items):
+                            is_item_matched = True
+                            break
            return is_item_matched
        except Exception as error:
            logger.error(
@@ -25,7 +25,6 @@ class ASFF(Output):
        - transform(findings: list[Finding]) -> None: Transforms a list of findings into ASFF format.
        - batch_write_data_to_file() -> None: Writes the findings data to a file in JSON ASFF format.
        - generate_status(status: str, muted: bool = False) -> str: Generates the ASFF status based on the provided status and muted flag.
-        - format_resource_tags(tags: str) -> dict: Transforms a string of tags into a dictionary format.

    References:
        - AWS Security Hub API Reference: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_Compliance.html
@@ -62,7 +61,6 @@ class ASFF(Output):
                if finding.status == "MANUAL":
                    continue
                timestamp = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
-                resource_tags = ASFF.format_resource_tags(finding.resource_tags)

                associated_standards, compliance_summary = ASFF.format_compliance(
                    finding.compliance
@@ -70,36 +68,39 @@ class ASFF(Output):

                # Ensures finding_status matches allowed values in ASFF
                finding_status = ASFF.generate_status(finding.status, finding.muted)
-
                self._data.append(
                    AWSSecurityFindingFormat(
                        # The following line cannot be changed because it is the format we use to generate unique findings for AWS Security Hub
                        # If changed some findings could be lost because the unique identifier will be different
-                        Id=f"prowler-{finding.check_id}-{finding.account_uid}-{finding.region}-{hash_sha512(finding.resource_uid)}",
+                        Id=f"prowler-{finding.metadata.CheckID}-{finding.account_uid}-{finding.region}-{hash_sha512(finding.resource_uid)}",
                        ProductArn=f"arn:{finding.partition}:securityhub:{finding.region}::product/prowler/prowler",
                        ProductFields=ProductFields(
                            ProwlerResourceName=finding.resource_uid,
                        ),
-                        GeneratorId="prowler-" + finding.check_id,
+                        GeneratorId="prowler-" + finding.metadata.CheckID,
                        AwsAccountId=finding.account_uid,
                        Types=(
-                            finding.check_type.split(",")
-                            if finding.check_type
+                            finding.metadata.CheckType
+                            if finding.metadata.CheckType
                            else ["Software and Configuration Checks"]
                        ),
                        FirstObservedAt=timestamp,
                        UpdatedAt=timestamp,
                        CreatedAt=timestamp,
-                        Severity=Severity(Label=finding.severity.value),
-                        Title=finding.check_title,
-                        Description=finding.description,
+                        Severity=Severity(Label=finding.metadata.Severity.value),
+                        Title=finding.metadata.CheckTitle,
+                        Description=(
+                            (finding.status_extended[:1000] + "...")
+                            if len(finding.status_extended) > 1000
+                            else finding.status_extended
+                        ),
                        Resources=[
                            Resource(
                                Id=finding.resource_uid,
-                                Type=finding.resource_type,
+                                Type=finding.metadata.ResourceType,
                                Partition=finding.partition,
                                Region=finding.region,
-                                Tags=resource_tags,
+                                Tags=finding.resource_tags,
                            )
                        ],
                        Compliance=Compliance(
@@ -109,8 +110,8 @@ class ASFF(Output):
                        ),
                        Remediation=Remediation(
                            Recommendation=Recommendation(
-                                Text=finding.remediation_recommendation_text,
-                                Url=finding.remediation_recommendation_url,
+                                Text=finding.metadata.Remediation.Recommendation.Text,
+                                Url=finding.metadata.Remediation.Recommendation.Url,
                            )
                        ),
                    )
@@ -195,42 +196,6 @@ class ASFF(Output):

        return json_asff_status

-    @staticmethod
-    def format_resource_tags(tags: str) -> dict:
-        """
-        Transforms a string of tags into a dictionary format.
-
-        Parameters:
-            - tags (str): A string containing tags separated by ' | ' and key-value pairs separated by '='.
-
-        Returns:
-            - dict: A dictionary where keys are tag names and values are tag values.
-
-        Notes:
-            - If the input string is empty or None, it returns None.
-            - Each tag in the input string should be in the format 'key=value'.
-            - If the input string is not formatted correctly, it logs an error and returns None.
-        """
-        try:
-            tags_dict = None
-            if tags:
-                tags = tags.split(" | ")
-                tags_dict = {}
-                for tag in tags:
-                    value = tag.split("=")
-                    tags_dict[value[0]] = value[1]
-            return tags_dict
-        except IndexError as error:
-            logger.error(
-                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
-            )
-            return None
-        except AttributeError as error:
-            logger.error(
-                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
-            )
-            return None
-
    @staticmethod
    def format_compliance(compliance: dict) -> tuple[list[dict], list[str]]:
        """
@@ -316,6 +281,12 @@ class Resource(BaseModel):
    Region: str
    Tags: Optional[dict]

+    @validator("Tags", pre=True, always=True)
+    def tags_cannot_be_empty_dict(tags):
+        if not tags:
+            return None
+        return tags
+

 class Compliance(BaseModel):
    """
@@ -1,62 +1,26 @@
-from operator import attrgetter
+from enum import Enum

 from prowler.config.config import timestamp
-from prowler.lib.logger import logger
-from prowler.lib.outputs.utils import unroll_list, unroll_tags
+from prowler.lib.outputs.utils import unroll_tags
 from prowler.lib.utils.utils import outputs_unix_timestamp


-def get_provider_data_mapping(provider) -> dict:
-    data = {}
-    for generic_field, provider_field in provider.get_output_mapping.items():
-        try:
-            provider_value = attrgetter(provider_field)(provider)
-            data[generic_field] = provider_value
-        except AttributeError:
-            data[generic_field] = ""
-        except Exception as error:
-            logger.error(
-                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
-            )
-    return data
-
-
 # TODO: add test for outputs_unix_timestamp
 def fill_common_finding_data(finding: dict, unix_timestamp: bool) -> dict:
    finding_data = {
+        "metadata": finding.check_metadata,
        "timestamp": outputs_unix_timestamp(unix_timestamp, timestamp),
-        "check_id": finding.check_metadata.CheckID,
-        "check_title": finding.check_metadata.CheckTitle,
-        "check_type": ",".join(finding.check_metadata.CheckType),
        "status": finding.status,
        "status_extended": finding.status_extended,
        "muted": finding.muted,
-        "service_name": finding.check_metadata.ServiceName,
-        "subservice_name": finding.check_metadata.SubServiceName,
-        "severity": finding.check_metadata.Severity,
-        "resource_type": finding.check_metadata.ResourceType,
        "resource_details": finding.resource_details,
        "resource_tags": unroll_tags(finding.resource_tags),
-        "description": finding.check_metadata.Description,
-        "risk": finding.check_metadata.Risk,
-        "related_url": finding.check_metadata.RelatedUrl,
-        "remediation_recommendation_text": (
-            finding.check_metadata.Remediation.Recommendation.Text
-        ),
-        "remediation_recommendation_url": (
-            finding.check_metadata.Remediation.Recommendation.Url
-        ),
-        "remediation_code_nativeiac": (
-            finding.check_metadata.Remediation.Code.NativeIaC
-        ),
-        "remediation_code_terraform": (
-            finding.check_metadata.Remediation.Code.Terraform
-        ),
-        "remediation_code_cli": (finding.check_metadata.Remediation.Code.CLI),
-        "remediation_code_other": (finding.check_metadata.Remediation.Code.Other),
-        "categories": unroll_list(finding.check_metadata.Categories),
-        "depends_on": unroll_list(finding.check_metadata.DependsOn),
-        "related_to": unroll_list(finding.check_metadata.RelatedTo),
-        "notes": finding.check_metadata.Notes,
    }
    return finding_data
+
+
+class Status(str, Enum):
+    PASS = "PASS"
+    FAIL = "FAIL"
+    MANUAL = "MANUAL"
+    MUTED = "MUTED"
@@ -1,4 +1,4 @@
-from prowler.lib.check.compliance_models import ComplianceBaseModel
+from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.outputs.compliance.aws_well_architected.models import (
    AWSWellArchitectedModel,
 )
@@ -21,7 +21,7 @@ class AWSWellArchitected(ComplianceOutput):
    def transform(
        self,
        findings: list[Finding],
-        compliance: ComplianceBaseModel,
+        compliance: Compliance,
        compliance_name: str,
    ) -> None:
        """
@@ -29,7 +29,7 @@ class AWSWellArchitected(ComplianceOutput):

        Parameters:
            - findings (list): A list of findings.
-            - compliance (ComplianceBaseModel): A compliance model.
+            - compliance (Compliance): A compliance model.
            - compliance_name (str): The name of the compliance model.

        Returns:
@@ -94,11 +94,12 @@ def get_cis_table(
        print(
            f"\nCompliance Status of {Fore.YELLOW}{compliance_framework.upper()}{Style.RESET_ALL} Framework:"
        )
+        total_findings_count = len(fail_count) + len(pass_count) + len(muted_count)
        overview_table = [
            [
-                f"{Fore.RED}{round(len(fail_count) / len(findings) * 100, 2)}% ({len(fail_count)}) FAIL{Style.RESET_ALL}",
-                f"{Fore.GREEN}{round(len(pass_count) / len(findings) * 100, 2)}% ({len(pass_count)}) PASS{Style.RESET_ALL}",
-                f"{orange_color}{round(len(muted_count) / len(findings) * 100, 2)}% ({len(muted_count)}) MUTED{Style.RESET_ALL}",
+                f"{Fore.RED}{round(len(fail_count) / total_findings_count * 100, 2)}% ({len(fail_count)}) FAIL{Style.RESET_ALL}",
+                f"{Fore.GREEN}{round(len(pass_count) / total_findings_count * 100, 2)}% ({len(pass_count)}) PASS{Style.RESET_ALL}",
+                f"{orange_color}{round(len(muted_count) / total_findings_count * 100, 2)}% ({len(muted_count)}) MUTED{Style.RESET_ALL}",
            ]
        ]
        print(tabulate(overview_table, tablefmt="rounded_grid"))
@@ -1,4 +1,4 @@
-from prowler.lib.check.compliance_models import ComplianceBaseModel
+from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.outputs.compliance.cis.models import AWSCISModel
 from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
 from prowler.lib.outputs.finding import Finding
@@ -19,7 +19,7 @@ class AWSCIS(ComplianceOutput):
    def transform(
        self,
        findings: list[Finding],
-        compliance: ComplianceBaseModel,
+        compliance: Compliance,
        compliance_name: str,
    ) -> None:
        """
@@ -27,7 +27,7 @@ class AWSCIS(ComplianceOutput):

        Parameters:
            - findings (list): A list of findings.
-            - compliance (ComplianceBaseModel): A compliance model.
+            - compliance (Compliance): A compliance model.
            - compliance_name (str): The name of the compliance model.

        Returns:
@@ -48,6 +48,7 @@ class AWSCIS(ComplianceOutput):
                            Requirements_Id=requirement.Id,
                            Requirements_Description=requirement.Description,
                            Requirements_Attributes_Section=attribute.Section,
+                            Requirements_Attributes_SubSection=attribute.SubSection,
                            Requirements_Attributes_Profile=attribute.Profile,
                            Requirements_Attributes_AssessmentStatus=attribute.AssessmentStatus,
                            Requirements_Attributes_Description=attribute.Description,
@@ -78,6 +79,7 @@ class AWSCIS(ComplianceOutput):
                        Requirements_Id=requirement.Id,
                        Requirements_Description=requirement.Description,
                        Requirements_Attributes_Section=attribute.Section,
+                        Requirements_Attributes_SubSection=attribute.SubSection,
                        Requirements_Attributes_Profile=attribute.Profile,
                        Requirements_Attributes_AssessmentStatus=attribute.AssessmentStatus,
                        Requirements_Attributes_Description=attribute.Description,
@@ -1,4 +1,4 @@
-from prowler.lib.check.compliance_models import ComplianceBaseModel
+from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.outputs.compliance.cis.models import AzureCISModel
 from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
 from prowler.lib.outputs.finding import Finding
@@ -19,7 +19,7 @@ class AzureCIS(ComplianceOutput):
    def transform(
        self,
        findings: list[Finding],
-        compliance: ComplianceBaseModel,
+        compliance: Compliance,
        compliance_name: str,
    ) -> None:
        """
@@ -27,7 +27,7 @@ class AzureCIS(ComplianceOutput):

        Parameters:
            - findings (list): A list of findings.
-            - compliance (ComplianceBaseModel): A compliance model.
+            - compliance (Compliance): A compliance model.
            - compliance_name (str): The name of the compliance model.

        Returns:
@@ -42,12 +42,13 @@ class AzureCIS(ComplianceOutput):
                        compliance_row = AzureCISModel(
                            Provider=finding.provider,
                            Description=compliance.Description,
-                            Subscription=finding.account_name,
+                            SubscriptionId=finding.account_uid,
                            Location=finding.region,
                            AssessmentDate=str(finding.timestamp),
                            Requirements_Id=requirement.Id,
                            Requirements_Description=requirement.Description,
                            Requirements_Attributes_Section=attribute.Section,
+                            Requirements_Attributes_SubSection=attribute.SubSection,
                            Requirements_Attributes_Profile=attribute.Profile,
                            Requirements_Attributes_AssessmentStatus=attribute.AssessmentStatus,
                            Requirements_Attributes_Description=attribute.Description,
@@ -73,12 +74,13 @@ class AzureCIS(ComplianceOutput):
                    compliance_row = AzureCISModel(
                        Provider=compliance.Provider.lower(),
                        Description=compliance.Description,
-                        Subscription="",
+                        SubscriptionId="",
                        Location="",
                        AssessmentDate=str(finding.timestamp),
                        Requirements_Id=requirement.Id,
                        Requirements_Description=requirement.Description,
                        Requirements_Attributes_Section=attribute.Section,
+                        Requirements_Attributes_SubSection=attribute.SubSection,
                        Requirements_Attributes_Profile=attribute.Profile,
                        Requirements_Attributes_AssessmentStatus=attribute.AssessmentStatus,
                        Requirements_Attributes_Description=attribute.Description,
@@ -1,4 +1,4 @@
-from prowler.lib.check.compliance_models import ComplianceBaseModel
+from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.outputs.compliance.cis.models import GCPCISModel
 from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
 from prowler.lib.outputs.finding import Finding
@@ -19,7 +19,7 @@ class GCPCIS(ComplianceOutput):
    def transform(
        self,
        findings: list[Finding],
-        compliance: ComplianceBaseModel,
+        compliance: Compliance,
        compliance_name: str,
    ) -> None:
        """
@@ -27,7 +27,7 @@ class GCPCIS(ComplianceOutput):

        Parameters:
            - findings (list): A list of findings.
-            - compliance (ComplianceBaseModel): A compliance model.
+            - compliance (Compliance): A compliance model.
            - compliance_name (str): The name of the compliance model.

        Returns:
@@ -48,6 +48,7 @@ class GCPCIS(ComplianceOutput):
                            Requirements_Id=requirement.Id,
                            Requirements_Description=requirement.Description,
                            Requirements_Attributes_Section=attribute.Section,
+                            Requirements_Attributes_SubSection=attribute.SubSection,
                            Requirements_Attributes_Profile=attribute.Profile,
                            Requirements_Attributes_AssessmentStatus=attribute.AssessmentStatus,
                            Requirements_Attributes_Description=attribute.Description,
@@ -78,6 +79,7 @@ class GCPCIS(ComplianceOutput):
                        Requirements_Id=requirement.Id,
                        Requirements_Description=requirement.Description,
                        Requirements_Attributes_Section=attribute.Section,
+                        Requirements_Attributes_SubSection=attribute.SubSection,
                        Requirements_Attributes_Profile=attribute.Profile,
                        Requirements_Attributes_AssessmentStatus=attribute.AssessmentStatus,
                        Requirements_Attributes_Description=attribute.Description,
@@ -1,6 +1,6 @@
 from datetime import datetime

-from prowler.lib.check.compliance_models import ComplianceBaseModel
+from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.outputs.compliance.cis.models import KubernetesCISModel
 from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
 from prowler.lib.outputs.finding import Finding
@@ -21,7 +21,7 @@ class KubernetesCIS(ComplianceOutput):
    def transform(
        self,
        findings: list[Finding],
-        compliance: ComplianceBaseModel,
+        compliance: Compliance,
        compliance_name: str,
    ) -> None:
        """
@@ -29,7 +29,7 @@ class KubernetesCIS(ComplianceOutput):

        Parameters:
            - findings (list): A list of findings.
-            - compliance (ComplianceBaseModel): A compliance model.
+            - compliance (Compliance): A compliance model.
            - compliance_name (str): The name of the compliance model.

        Returns:
@@ -50,6 +50,7 @@ class KubernetesCIS(ComplianceOutput):
                            Requirements_Id=requirement.Id,
                            Requirements_Description=requirement.Description,
                            Requirements_Attributes_Section=attribute.Section,
+                            Requirements_Attributes_SubSection=attribute.SubSection,
                            Requirements_Attributes_Profile=attribute.Profile,
                            Requirements_Attributes_AssessmentStatus=attribute.AssessmentStatus,
                            Requirements_Attributes_Description=attribute.Description,
@@ -81,6 +82,7 @@ class KubernetesCIS(ComplianceOutput):
                        Requirements_Id=requirement.Id,
                        Requirements_Description=requirement.Description,
                        Requirements_Attributes_Section=attribute.Section,
+                        Requirements_Attributes_SubSection=attribute.SubSection,
                        Requirements_Attributes_Profile=attribute.Profile,
                        Requirements_Attributes_AssessmentStatus=attribute.AssessmentStatus,
                        Requirements_Attributes_Description=attribute.Description,
@@ -1,3 +1,5 @@
+from typing import Optional
+
 from pydantic import BaseModel


@@ -14,6 +16,7 @@ class AWSCISModel(BaseModel):
    Requirements_Id: str
    Requirements_Description: str
    Requirements_Attributes_Section: str
+    Requirements_Attributes_SubSection: Optional[str]
    Requirements_Attributes_Profile: str
    Requirements_Attributes_AssessmentStatus: str
    Requirements_Attributes_Description: str
@@ -38,12 +41,13 @@ class AzureCISModel(BaseModel):

    Provider: str
    Description: str
-    Subscription: str
+    SubscriptionId: str
    Location: str
    AssessmentDate: str
    Requirements_Id: str
    Requirements_Description: str
    Requirements_Attributes_Section: str
+    Requirements_Attributes_SubSection: Optional[str]
    Requirements_Attributes_Profile: str
    Requirements_Attributes_AssessmentStatus: str
    Requirements_Attributes_Description: str
@@ -75,6 +79,7 @@ class GCPCISModel(BaseModel):
    Requirements_Id: str
    Requirements_Description: str
    Requirements_Attributes_Section: str
+    Requirements_Attributes_SubSection: Optional[str]
    Requirements_Attributes_Profile: str
    Requirements_Attributes_AssessmentStatus: str
    Requirements_Attributes_Description: str
@@ -105,6 +110,7 @@ class KubernetesCISModel(BaseModel):
    Requirements_Id: str
    Requirements_Description: str
    Requirements_Attributes_Section: str
+    Requirements_Attributes_SubSection: Optional[str]
    Requirements_Attributes_Profile: str
    Requirements_Attributes_AssessmentStatus: str
    Requirements_Attributes_Description: str
@@ -7,6 +7,7 @@ from prowler.lib.outputs.compliance.ens.ens import get_ens_table
 from prowler.lib.outputs.compliance.generic.generic_table import (
    get_generic_compliance_table,
 )
+from prowler.lib.outputs.compliance.kisa_ismsp.kisa_ismsp import get_kisa_ismsp_table
 from prowler.lib.outputs.compliance.mitre_attack.mitre_attack import (
    get_mitre_attack_table,
 )
@@ -62,6 +63,15 @@ def display_compliance_table(
                output_directory,
                compliance_overview,
            )
+        elif "kisa_isms_" in compliance_framework:
+            get_kisa_ismsp_table(
+                findings,
+                bulk_checks_metadata,
+                compliance_framework,
+                output_filename,
+                output_directory,
+                compliance_overview,
+            )
        else:
            get_generic_compliance_table(
                findings,
--- a/Show More
+++ b/Show More