Merge branch 'review-metadata-aws-neptune' of https://github.com/prowler-cloud/prowler into review-metadata-aws-neptune

Co-authored-by: HugoPBrito <hugopbrit@gmail.com>

.github/labeler.yml

@@ -119,3 +119,7 @@ compliance:
 review-django-migrations:
   - changed-files:
       - any-glob-to-any-file: "api/src/backend/api/migrations/**"
+
+metadata-review:
+  - changed-files:
+      - any-glob-to-any-file: "**/*.metadata.json"

.github/workflows/pull-request-check-changelog.yml

@@ -13,7 +13,7 @@ jobs:
       contents: read
       pull-requests: write
     env:
-      MONITORED_FOLDERS: "api ui prowler"
+      MONITORED_FOLDERS: "api ui prowler dashboard"
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

dashboard/assets/markdown-styles.css

@@ -0,0 +1,34 @@
+/* Override Tailwind CSS reset for markdown content */
+.markdown-content ul {
+    list-style: disc !important;
+    margin-left: 20px !important;
+    padding-left: 10px !important;
+    margin-bottom: 8px !important;
+}
+
+.markdown-content ol {
+    list-style: decimal !important;
+    margin-left: 20px !important;
+    padding-left: 10px !important;
+    margin-bottom: 8px !important;
+}
+
+.markdown-content li {
+    margin-bottom: 4px !important;
+    display: list-item !important;
+}
+
+.markdown-content p {
+    margin-bottom: 8px !important;
+}
+
+/* Ensure nested lists work properly */
+.markdown-content ul ul {
+    margin-top: 4px !important;
+    margin-bottom: 4px !important;
+}
+
+.markdown-content ol ol {
+    margin-top: 4px !important;
+    margin-bottom: 4px !important;
+}

dashboard/pages/overview.py

@@ -1654,6 +1654,39 @@ def generate_table(data, index, color_mapping_severity, color_mapping_status):
                                     [
                                         html.Div(
                                             [
+                                                # Description as first details item
+                                                html.Div(
+                                                    [
+                                                        html.P(
+                                                            html.Strong(
+                                                                "Description: ",
+                                                                style={
+                                                                    "margin-bottom": "8px"
+                                                                },
+                                                            )
+                                                        ),
+                                                        html.Div(
+                                                            dcc.Markdown(
+                                                                str(
+                                                                    data.get(
+                                                                        "DESCRIPTION",
+                                                                        "",
+                                                                    )
+                                                                ),
+                                                                dangerously_allow_html=True,
+                                                                style={
+                                                                    "margin-left": "0px",
+                                                                    "padding-left": "10px",
+                                                                },
+                                                            ),
+                                                            className="markdown-content",
+                                                            style={
+                                                                "margin-left": "0px",
+                                                                "padding-left": "10px",
+                                                            },
+                                                        ),
+                                                    ],
+                                                ),
                                                 html.Div(
                                                     [
                                                         html.P(
@@ -1793,19 +1826,27 @@ def generate_table(data, index, color_mapping_severity, color_mapping_status):
                                                         html.P(
                                                             html.Strong(
                                                                 "Risk: ",
-                                                                style={
-                                                                    "margin-right": "5px"
-                                                                },
+                                                                style={},
                                                             )
                                                         ),
-                                                        html.P(
-                                                            str(data.get("RISK", "")),
+                                                        html.Div(
+                                                            dcc.Markdown(
+                                                                str(
+                                                                    data.get("RISK", "")
+                                                                ),
+                                                                dangerously_allow_html=True,
+                                                                style={
+                                                                    "margin-left": "0px",
+                                                                    "padding-left": "10px",
+                                                                },
+                                                            ),
+                                                            className="markdown-content",
                                                             style={
-                                                                "margin-left": "5px"
+                                                                "margin-left": "0px",
+                                                                "padding-left": "10px",
                                                             },
                                                         ),
                                                     ],
-                                                    style={"display": "flex"},
                                                 ),
                                                 html.Div(
                                                     [
@@ -1847,23 +1888,32 @@ def generate_table(data, index, color_mapping_severity, color_mapping_status):
                                                             html.Strong(
                                                                 "Recommendation: ",
                                                                 style={
-                                                                    "margin-right": "5px"
+                                                                    "margin-bottom": "8px"
                                                                 },
                                                             )
                                                         ),
-                                                        html.P(
-                                                            str(
-                                                                data.get(
-                                                                    "REMEDIATION_RECOMMENDATION_TEXT",
-                                                                    "",
-                                                                )
+                                                        html.Div(
+                                                            dcc.Markdown(
+                                                                str(
+                                                                    data.get(
+                                                                        "REMEDIATION_RECOMMENDATION_TEXT",
+                                                                        "",
+                                                                    )
+                                                                ),
+                                                                dangerously_allow_html=True,
+                                                                style={
+                                                                    "margin-left": "0px",
+                                                                    "padding-left": "10px",
+                                                                },
                                                             ),
+                                                            className="markdown-content",
                                                             style={
-                                                                "margin-left": "5px"
+                                                                "margin-left": "0px",
+                                                                "padding-left": "10px",
                                                             },
                                                         ),
                                                     ],
-                                                    style={"display": "flex"},
+                                                    style={"margin-bottom": "15px"},
                                                 ),
                                                 html.Div(
                                                     [

docs/basic-usage/prowler-cli.md

@@ -279,4 +279,4 @@ You can filter scans to specific organizations or projects:
 prowler mongodbatlas --atlas-project-id <project_id>
 ```
 
-See more details about MongoDB Atlas Authentication in [Requirements](../getting-started/requirements.md#mongodb-atlas)
+See more details about MongoDB Atlas Authentication in [MongoDB Atlas Authentication](../tutorials/mongodbatlas/authentication.md)

docs/developer-guide/check-metadata-guidelines.md

@@ -0,0 +1,213 @@
+# Check Metadata Guidelines
+
+## Introduction
+
+This guide provides comprehensive guidelines for creating check metadata in Prowler. For basic information on check metadata structure, refer to the [check metadata](./checks.md#metadata-structure-for-prowler-checks) section.
+
+## Check Title Guidelines
+
+### Writing Guidelines
+
+1. **Determine Resource Finding Scope (Singular vs. Plural)**:
+   When determining whether to use singular or plural in the check title, examine the code for certain patterns. If the code contains a loop that generates an individual report for each resource, use the singular form. If the code produces a single report that covers all resources collectively, use the plural form. For organization- or account-wide checks, select the scope that best matches the breadth of the evaluation. Additionally, review the `status_extended` field messages in the code, as they often provide clues about whether the check is scoped to individual resources or to groups of resources.
+   Analyze the detection code to determine if the check reports on individual resources or aggregated resources:
+    - **Singular**: Use when the check creates one report per resource (e.g., "EC2 instance has IMDSv2 enforced", "S3 bucket does not allow public write access").
+    - **Plural**: Use when the check creates one report for all resources together (e.g., "All EC2 instances have IMDSv2 enforced", "S3 buckets do not allow public write access").
+2. **Describe the Compliant (*PASS*) State**:
+   Always write the title to describe the **desired, compliant state** of the resources. The title should reflect what it looks like when the audited resource is following the check's requirements.
+3. **Be Specific and Factual**:
+   Include the exact secure configuration being verified. Avoid vague or generic terms like "properly configured".
+4. **Avoid Redundant or Action Words**:
+   Do not include verbs like "Check", "Verify", "Ensure", or "Monitor". The title is a declarative statement of the secure condition.
+5. **Length Limit**:
+   Keep the title under 150 characters.
+
+### Common Mistakes to Avoid
+
+- Starting with verbs like "Check", "Verify", "Ensure", "Make sure". Always start with the affected resource instead.
+- Being too vague or generic (e.g., "Ensure security groups are properly configured", what does it mean? "properly configured" is not a clear description of the compliant state).
+- Focusing on the non-compliant state instead of the compliant state.
+- Using unclear scope and resource identification.
+
+## Check Type Guidelines (AWS Only)
+
+### AWS Security Hub Type Format
+
+AWS Security Hub uses a three-part type taxonomy:
+
+- **Namespace**: The top-level security domain.
+- **Category**: The security control family or area.
+- **Classifier**: The specific security concern (optional).
+
+A partial path may be defined (e.g., `TTPs` or `TTPs/Defense Evasion` are valid).
+
+### Selection Guidelines
+
+1. **Be Specific**: Use the most specific classifier that accurately describes the check.
+2. **Standard Compliance**: Consider if the check relates to specific compliance standards.
+3. **Multiple Types**: You can specify multiple types if the check addresses multiple concerns.
+
+## Description Guidelines
+
+### Writing Guidelines
+
+1. **Focus on the Finding**: All fields should address how the finding affects the security posture, rather than the control itself.
+2. **Use Natural Language**: Write in simple, clear paragraphs with complete, grammatically correct sentences.
+3. **Use Markdown Formatting**: Enhance readability with:
+   - Use **bold** for emphasis on key security concepts.
+   - Use *italic* for a secondary emphasis. Use it for clarifications, conditions, or optional notes. But don't abuse it.
+   - Use `code` formatting for specific configuration values, or technical details. Don't use it for service names or common technical terms.
+   - Use one or two line breaks (`\n` or `\n\n`) to separate distinct ideas.
+   - Use bullet points (`-`) for listing multiple concepts or actions.
+   - Use numbers for listing steps or sequential actions.
+4. **Be Concise**: Maximum 400 characters (spaces count). Every word should add value.
+5. **Explain What the Finding Means**: Focus on what the security control evaluates and what it means when it passes or fails, but without explicitly stating the pass or fail state.
+6. **Be Technical but Clear**: Use appropriate technical terminology while remaining understandable.
+7. **Avoid Risk Descriptions**: Do not describe potential risks, threats, or consequences.
+8. **CheckTitle and Description can be the same**: If the check is very simple and the title is already clear, you can use the same text for the description.
+
+### Common Mistakes to Avoid
+
+- **Technical Implementation Details**: "The control loops through all instances and calls the describe_instances API...".
+- **Vague Descriptions**: "This control verifies proper configuration of resources". What does it mean? "proper configuration" is not a clear description of the compliant state.
+- **Risk Descriptions**: "This could lead to data breaches" or "This poses a security threat".
+- **Starting with Verbs**: "Check if...", "Verify...", "Ensure...". Always start with the affected resource instead.
+- **References to Pass/Fail States**: Avoid using words like "pass" or "fail".
+
+## Risk Guidelines
+
+### Writing Guidelines
+
+1. **Explain the Cybersecurity Impact**: Focus on how the finding affects confidentiality, integrity, or availability (CIA triad). If the CIA triad does not apply, explain the risk in terms of the organization's business objectives.
+2. **Be Specific About Threats**: Clearly state what could happen if this security control is not in place. What attacks or incidents become possible?
+3. **Focus on Risk Context**: Explain the specific security implications of the finding, not just generic security risks.
+4. **Use Markdown Formatting**: Enhance readability with markdown formatting:
+   - Use **bold** for emphasis on key security concepts.
+   - Use *italic* for a secondary emphasis. Use it for clarifications, conditions, or optional notes. But don't abuse it.
+   - Use `code` formatting for specific configuration values, or technical details. Don't use it for service names or common technical terms.
+   - Use one or two line breaks (`\n` or `\n\n`) to separate distinct ideas.
+   - Use bullet points (`-`) for listing multiple concepts or actions.
+   - Use numbers for listing steps or sequential actions.
+5. **Be Concise**: Maximum 400 characters. Make every word count.
+
+### Common Mistakes to Avoid
+
+- **Generic Risks**: "This could lead to security issues" or "Regulatory compliance violations".
+- **Technical Implementation Focus**: "The API call might fail and return incorrect results...".
+- **Overly Broad Statements**: "This is a serious security risk that could impact everything".
+- **Vague Threats**: "This could be exploited by threat actors" without explaining how.
+
+## Recommendation Guidelines
+
+### Writing Guidelines
+
+1. **Provide Actionable Best Practice Guidance**: Explain what should be done to maintain security posture. Focus on preventive measures and proactive security practices.
+2. **Be Principle-Based**: Reference established security principles (least privilege, defense in depth, zero trust, separation of duties) where applicable.
+3. **Focus on Prevention**: Explain best practices that prevent the security issue from occurring, not just detection or remediation.
+4. **Use Markdown Formatting**: Enhance readability with markdown formatting:
+   - Use **bold** for emphasis on key security concepts.
+   - Use *italic* for a secondary emphasis. Use it for clarifications, conditions, or optional notes. But don't abuse it.
+   - Use `code` formatting for specific configuration values, or technical details. Don't use it for service names or common technical terms.
+   - Use one or two line breaks (`\n` or `\n\n`) to separate distinct ideas.
+   - Use bullet points (`-`) for listing multiple concepts or actions.
+   - Use numbers for listing steps or sequential actions.
+5. **Be Concise**: Maximum 400 characters.
+
+### Common Mistakes to Avoid
+
+- **Specific Remediation Steps**: "1. Go to the console\n2. Click on settings..." - Focus on principles, not click-by-click instructions.
+- **Implementation Details**: "Configure the JSON policy with the following IAM actions..." - Explain what to achieve, not how.
+- **Vague Guidance**: "Follow security best practices..." without explaining what those practices are.
+- **Resource-Specific Recommendations**: "Enable MFA on user john.doe@example.com" - Keep it general.
+- **Missing Context**: Not explaining why the best practice is important for security.
+
+### Good Examples
+
+- *"Avoid exposing sensitive resources directly to the Internet; configure access controls to limit exposure."*
+- *"Apply the principle of least privilege when assigning permissions to users and services."*
+- *"Regularly review and update your security configurations to align with current best practices."*
+
+## Remediation Code Guidelines
+
+### Critical Requirement
+
+The **fundamental principle** is to focus on the **specific change** that converts the finding from non-compliant to compliant.
+
+Also is important to keep all code examples as short as possible, including the essential code to fix the issue. Remove any extra configuration, optional parameters, or nice-to-have settings and add comments to explain the code when possible.
+
+### Common Guidelines for All Code Fields
+
+1. **Be Minimal**: Keep code blocks as short as possible - only include what is absolutely necessary.
+2. **Focus on the Fix**: Remove any extra configuration, optional parameters, or nice-to-have settings.
+3. **Be Accurate**: Ensure all commands and code are syntactically correct.
+4. **Use Markdown Formatting**: Format code properly using code blocks and appropriate syntax highlighting.
+5. **Follow Best Practices**: Use the most secure and recommended approaches for each platform.
+
+### CLI Guidelines
+
+- Only provide a single command that directly changes the finding from fail to pass.
+- The command must be executable as-is and resolve the security issue completely.
+- Use proper command syntax for the provider (AWS CLI, Azure CLI, gcloud, kubectl, etc.).
+- Do not use markdown formatting or code blocks - just the raw command.
+- Do not include multiple commands, comments, or explanations.
+- If the issue cannot be resolved with a single command, leave this field empty.
+
+### Native IaC Guidelines
+
+- **Keep It Minimal**: Only include the specific resource/configuration that fixes the security issue.
+- Format as markdown code blocks with proper syntax highlighting.
+- Include only the required properties to fix the issue.
+- Add comments indicating the critical line(s) that remediate the check.
+- Use `example_resource` as the generic name for all resources and IDs.
+
+### Terraform Guidelines
+
+- **Keep It Minimal**: Only include the specific resource/configuration that fixes the security issue.
+- Provide valid HCL (HashiCorp Configuration Language) code with an example of a compliant configuration.
+- Use the latest Terraform syntax and provider versions.
+- Include only the required arguments to fix the issue - skip optional parameters.
+- Format as markdown code blocks with `hcl` syntax highlighting.
+- Add comments indicating the critical line(s) that remediate the check.
+- Use `example_resource` as the generic name for all resources and IDs.
+- Skip provider requirements unless critical for the fix.
+
+### Other (Manual Steps) Guidelines
+
+- **Keep It Minimal**: Only include the exact steps needed to fix the security issue.
+- Provide step-by-step instructions for manual remediation through web interfaces.
+- Use numbered lists for sequential steps.
+- Be specific about menu locations, button names, and settings.
+- Skip optional configurations or nice-to-have settings.
+- Format using markdown for better readability.
+
+## Categories Guidelines
+
+### Selection Guidelines
+
+1. **Be Specific**: Only select categories that directly relate to what the automated control evaluates.
+2. **Primary Focus**: Consider the primary security concern the automated control addresses.
+3. **Avoid Over-Categorization**: Do not select categories just because they are tangentially related.
+
+### Available Categories
+
+| Category                | Definition                                                                                                                                                                                                                                 |
+|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| encryption              | Ensures data is encrypted in transit and/or at rest, including key management practices                                                                                                   |
+| internet-exposed        | Checks that limit or flag public access to services, APIs, or assets from the Internet                                                                                                              |
+| logging                 | Ensures appropriate logging of events, activities, and system interactions for traceability                                                                                                       |
+| secrets                 | Manages and protects credentials, API keys, tokens, and other sensitive information                                                                                                               |
+| resilience              | Ensures systems can maintain availability and recover from disruptions, failures, or degradation. Includes redundancy, fault-tolerance, auto-scaling, backup, disaster recovery, and failover strategies |
+| threat-detection        | Identifies suspicious activity or behaviors using IDS, malware scanning, or anomaly detection                                                                                                      |
+| trust-boundaries        | Enforces isolation or segmentation between different trust levels (e.g., VPCs, tenants, network zones)                                                                                            |
+| vulnerabilities         | Detects or remediates known software, infrastructure, or config vulnerabilities (e.g., CVEs)                                                                                                      |
+| cluster-security        | Secures Kubernetes cluster components such as API server, etcd, and role-based access                                                                                                             |
+| container-security      | Ensures container images and runtimes follow security best practices                                                                                        |
+| node-security           | Secures nodes running containers or services                                                                                                        |
+| gen-ai                  | Checks related to safe and secure use of generative AI services or models                                                                                                                        |
+| ci-cd                   | Ensures secure configurations in CI/CD pipelines                                                                                                         |
+| identity-access         | Governs user and service identities, including least privilege, MFA, and permission boundaries                                                                                                    |
+| email-security          | Ensures detection and protection against phishing, spam, spoofing, etc.                                                                                                                            |
+| forensics-ready         | Ensures systems are instrumented to support post-incident investigations. Any digital trace or evidence (logs, volume snapshots, memory dumps, network captures, etc.) preserved immutably and accompanied by integrity guarantees, which can be used in a forensic analysis |
+| software-supply-chain   | Detects or prevents tampering, unauthorized packages, or third-party risks in software supply chain                                                                                               |
+| e3                      | M365-specific controls enabled by or dependent on an E3 license (e.g., baseline security policies, conditional access)                                                                            |
+| e5                      | M365-specific controls enabled by or dependent on an E5 license (e.g., advanced threat protection, audit, DLP, and eDiscovery)                                                                    |

docs/developer-guide/checks.md

@@ -40,7 +40,7 @@ Each check in Prowler follows a straightforward structure. Within the newly crea
 
 - `__init__.py` (empty file) – Ensures Python treats the check folder as a package.
 - `<check_name>.py` (code file) – Contains the check logic, following the prescribed format. Please refer to the [prowler's check code structure](./checks.md#prowlers-check-code-structure) for more information.
-- `<check_name>.metadata.json` (metadata file) – Defines the check's metadata for contextual information. Please refer to the [check metadata](./checks.md#) for more information.
+- `<check_name>.metadata.json` (metadata file) – Defines the check's metadata for contextual information. Please refer to the [check metadata](./checks.md#metadata-structure-for-prowler-checks) for more information.
 
 ## Prowler's Check Code Structure
 
@@ -226,68 +226,148 @@ Below is a generic example of a check metadata file. **Do not include comments i
 ```json
 {
   "Provider": "aws",
-  "CheckID": "example_check_id",
-  "CheckTitle": "Example Check Title",
-  "CheckType": ["Infrastructure Security"],
-  "ServiceName": "ec2",
-  "SubServiceName": "ami",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
-  "Severity": "critical",
+  "CheckID": "service_resource_security_setting",
+  "CheckTitle": "Service resource has security setting enabled",
+  "CheckType": [],
+  "ServiceName": "service",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
   "ResourceType": "Other",
-  "Description": "Example description of the check.",
-  "Risk": "Example risk if the check fails.",
-  "RelatedUrl": "https://example.com",
+  "Description": "This check verifies that the service resource has the required **security setting** enabled to protect against potential vulnerabilities.\n\nIt ensures that the resource follows security best practices and maintains proper access controls. The check evaluates whether the security configuration is properly implemented and active.",
+  "Risk": "Without proper security settings, the resource may be vulnerable to:\n\n- **Unauthorized access** - Malicious actors could gain entry\n- **Data breaches** - Sensitive information could be compromised\n- **Security threats** - Various attack vectors could be exploited\n\nThis could result in compliance violations and potential financial or reputational damage.",
+  "RelatedUrl": "",
+  "AdditionalURLs": ["https://example.com/security-documentation", "https://example.com/best-practices"],
   "Remediation": {
     "Code": {
-      "CLI": "example CLI command",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "provider-cli service enable-security-setting --resource-id resource-123",
+      "NativeIaC": "```yaml\nType: Provider::Service::Resource\nProperties:\n  SecuritySetting: enabled\n  ResourceId: resource-123\n```",
+      "Other": "1. Open the provider management console\n2. Navigate to the service section\n3. Select the resource\n4. Enable the security setting\n5. Save the configuration",
+      "Terraform": "```hcl\nresource \"provider_service_resource\" \"example\" {\n  resource_id      = \"resource-123\"\n  security_setting = true\n}\n```"
     },
     "Recommendation": {
-      "Text": "Example recommendation text.",
-      "Url": "https://example.com/remediation"
+      "Text": "Enable security settings on all service resources to ensure proper protection. Regularly review and update security configurations to align with current best practices.",
+      "Url": "https://hub.prowler.com/check/service_resource_security_setting"
     }
   },
-  "Categories": ["example-category"],
+  "Categories": ["internet-exposed", "secrets"],
   "DependsOn": [],
-  "RelatedTo": [],
-  "Notes": ""
+  "RelatedTo": ["service_resource_security_setting", "service_resource_security_setting_2"],
+  "Notes": "This is a generic example check that should be customized for specific provider and service requirements."
 }
 ```
 
 ### Metadata Fields and Their Purpose
 
-- **Provider** — The Prowler provider related to the check. The name **must** be lowercase and match the provider folder name. For supported providers refer to [Prowler Hub](https://hub.prowler.com/check) or directly to [Prowler Code](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers).
-- **CheckID** — The unique identifier for the check inside the provider, this field **must** match the check's folder and python file and json metadata file name. For more information about the naming refer to the [Naming Format for Checks](#naming-format-for-checks) section.
-- **CheckTitle** — A concise, descriptive title for the check.
-- **CheckType** — *For now this field is only standardized for the AWS provider*.
-    - For AWS this field must follow the [AWS Security Hub Types](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-required-attributes.html#Types) format. So the common pattern to follow is `namespace/category/classifier`, refer to the attached documentation for the valid values for this fields.
-- **ServiceName** — The name of the provider service being audited. This field **must** be in lowercase and match with the service folder name. For supported services refer to [Prowler Hub](https://hub.prowler.com/check) or directly to [Prowler Code](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers).
-- **SubServiceName** — The subservice or resource within the service, if applicable. For more information refer to the [Naming Format for Checks](#naming-format-for-checks) section.
-- **ResourceIdTemplate** — A template for the unique resource identifier. For more information refer to the [Resource Identification in Prowler](#resource-identification-in-prowler) section.
-- **Severity** — The severity of the finding if the check fails. Must be one of: `critical`, `high`, `medium`, `low`, or `informational`, this field **must** be in lowercase. To get more information about the severity levels refer to the [Prowler's Check Severity Levels](#prowlers-check-severity-levels) section.
-- **ResourceType** — The type of resource being audited. *For now this field is only standardized for the AWS provider*.
-    - For AWS use the [Security Hub resource types](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-resources.html) or, if not available, the PascalCase version of the [CloudFormation type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) (e.g., `AwsEc2Instance`). Use "Other" if no match exists.
-- **Description** — A short description of what the check does.
-- **Risk** — The risk or impact if the check fails, explaining why the finding matters.
-- **RelatedUrl** — A URL to official documentation or further reading about the check's purpose. If no official documentation is available, use the risk and recommendation text from trusted third-party sources.
-- **Remediation** — Guidance for fixing a failed check, including:
-    - **Code** — Remediation commands or code snippets for CLI, Terraform, native IaC, or other tools like the Web Console.
-    - **Recommendation** — A textual human readable recommendation. Here it is not necessary to include actual steps, but rather a general recommendation about what to do to fix the check.
-- **Categories** — One or more categories for grouping checks in execution (e.g., `internet-exposed`). For the current list of categories, refer to the [Prowler Hub](https://hub.prowler.com/check).
-- **DependsOn** — Currently not used.
-- **RelatedTo** — Currently not used.
-- **Notes** — Any additional information not covered by other fields.
+#### Provider
 
-### Remediation Code Guidelines
+The Prowler provider related to the check. The name **must** be lowercase and match the provider folder name. For supported providers refer to [Prowler Hub](https://hub.prowler.com/check) or directly to [Prowler Code](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers).
 
-When providing remediation steps, reference the following sources:
+#### CheckID
 
-- Official provider documentation.
-- [Prowler Checks Remediation Index](https://docs.prowler.com/checks/checks-index)
-- [TrendMicro Cloud One Conformity](https://www.trendmicro.com/cloudoneconformity)
-- [CloudMatos Remediation Repository](https://github.com/cloudmatos/matos/tree/master/remediations)
+The unique identifier for the check inside the provider. This field **must** match the check's folder, Python file, and JSON metadata file name. For more information about naming, refer to the [Naming Format for Checks](#naming-format-for-checks) section.
+
+#### CheckTitle
+
+The `CheckTitle` field must be plain text, clearly and succinctly define **the best practice being evaluated and which resource(s) each finding applies to**. The title should be specific, concise (no more than 150 characters), and reference the relevant resource(s) involved.
+
+**Always write the `CheckTitle` to describe the *PASS* case**, the desired secure or compliant state of the resource(s). This helps ensure that findings are easy to interpret and that the title always reflects the best practice being met.
+
+For detailed guidelines on writing effective check titles, including how to determine singular vs. plural scope and common mistakes to avoid, see [CheckTitle Guidelines](./check-metadata-guidelines.md#checktitle-guidelines).
+
+#### CheckType
+
+???+ warning
+    This field is only applicable to the AWS provider.
+
+It follows the [AWS Security Hub Types](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-required-attributes.html#Types) format using the pattern `namespace/category/classifier`.
+
+For the complete AWS Security Hub selection guidelines, see [CheckType Guidelines](./check-metadata-guidelines.md#checktype-guidelines-aws-only).
+
+#### ServiceName
+
+The name of the provider service being audited. Must be lowercase and match the service folder name. For supported services refer to [Prowler Hub](https://hub.prowler.com/check) or the [Prowler Code](https://github.com/prowler-cloud/prowler/tree/master/prowler/providers).
+
+#### SubServiceName
+
+This field is in the process of being deprecated and should be **left empty**.
+
+#### ResourceIdTemplate
+
+This field is in the process of being deprecated and should be **left empty**.
+
+#### Severity
+
+Severity level if the check fails. Must be one of: `critical`, `high`, `medium`, `low`, or `informational`, and written in lowercase. See [Prowler's Check Severity Levels](#prowlers-check-severity-levels) for details.
+
+#### ResourceType
+
+The type of resource being audited. This field helps categorize and organize findings by resource type for better analysis and reporting. For each provider:
+
+- **AWS**: Use [Security Hub resource types](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-resources.html) or PascalCase CloudFormation types removing the `::` separator used in CloudFormation templates (e.g., in CloudFormation template the type of an EC2 instance is `AWS::EC2::Instance` but in the check it should be `AwsEc2Instance`). Use `Other` if none apply.
+- **Azure**: Use types from [Azure Resource Graph](https://learn.microsoft.com/en-us/azure/governance/resource-graph/reference/supported-tables-resources), for example: `Microsoft.Storage/storageAccounts`.
+- **Google Cloud**: Use [Cloud Asset Inventory asset types](https://cloud.google.com/asset-inventory/docs/asset-types), for example: `compute.googleapis.com/Instance`.
+- **Kubernetes**: Use types shown under `KIND` from `kubectl api-resources`.
+- **M365 / GitHub**: Leave empty due to lack of standardized types.
+
+#### Description
+
+A concise, natural language explanation that **clearly describes what the finding means**, focusing on clarity and context rather than technical implementation details. Use simple paragraphs with line breaks if needed, but avoid sections, code blocks, or complex formatting. This field is limited to maximum 400 characters.
+
+For detailed writing guidelines and common mistakes to avoid, see [Description Guidelines](./check-metadata-guidelines.md#description-guidelines).
+
+#### Risk
+
+A clear, natural language explanation of **why this finding poses a cybersecurity risk**. Focus on how it may impact confidentiality, integrity, or availability. If those do not apply, describe any relevant operational or financial risks. Use simple paragraphs with line breaks if needed, but avoid sections, code blocks, or complex formatting. Limit your explanation to 400 characters.
+
+For detailed writing guidelines and common mistakes to avoid, see [Risk Guidelines](./check-metadata-guidelines.md#risk-guidelines).
+
+#### RelatedUrl
+
+*Deprecated*. Use `AdditionalURLs` for adding your URLs references.
+
+#### AdditionalURLs
+
+???+ warning
+    URLs must be valid and not repeated.
+
+A list of official documentation URLs for further reading. These should be authoritative sources that provide additional context, best practices, or detailed information about the security control being checked. Prefer official provider documentation, security standards, or well-established security resources. Avoid third-party blogs or unofficial sources unless they are highly reputable and directly relevant.
+
+#### Remediation
+
+Provides both code examples and best practice recommendations for addressing the security issue.
+
+- **Code**: Contains remediation examples in different formats:
+    - **CLI**: Command-line interface commands to make the finding compliant in runtime.
+    - **NativeIaC**: Native Infrastructure as Code templates with an example of a compliant configuration. For now it applies to:
+        - **AWS**: CloudFormation YAML formatted code (do not use JSON format).
+        - **Azure**: Bicep formatted code (do not use ARM templates).
+    - **Terraform**: HashiCorp Configuration Language (HCL) code with an example of a compliant configuration.
+    - **Other**: Manual steps through web interfaces or other tools to make the finding compliant.
+
+    For detailed guidelines on writing remediation code, see [Remediation Code Guidelines](./check-metadata-guidelines.md#remediation-code-guidelines).
+
+- **Recommendation**
+    - **Text**: Generic best practice guidance in natural language using Markdown format (maximum 400 characters). For writing guidelines, see [Recommendation Guidelines](./check-metadata-guidelines.md#recommendation-guidelines).
+    - **Url**: [Prowler Hub URL](https://hub.prowler.com/) of the check. This URL is always composed by `https://hub.prowler.com/check/<check_id>`.
+
+#### Categories
+
+One or more functional groupings used for execution filtering (e.g., `internet-exposed`). You can define new categories just by adding to this field.
+
+For the complete list of available categories, see [Categories Guidelines](./check-metadata-guidelines.md#categories-guidelines).
+
+#### DependsOn
+
+List of check IDs of checks that if are compliant, this check will be a compliant too or it is not going to give any finding.
+
+#### RelatedTo
+
+List of check IDs of checks that are conceptually related, even if they do not share a technical dependency.
+
+#### Notes
+
+Any additional information not covered in the above fields.
 
 ### Python Model Reference
 

docs/developer-guide/outputs.md

@@ -101,6 +101,7 @@ Prowler supports multiple output formats, allowing users to tailor findings pres
                     finding_dict["DESCRIPTION"] = finding.metadata.Description
                     finding_dict["RISK"] = finding.metadata.Risk
                     finding_dict["RELATED_URL"] = finding.metadata.RelatedUrl
+                    finding_dict["ADDITIONAL_URLS"] = unroll_list(finding.metadata.AdditionalURLs)
                     finding_dict["REMEDIATION_RECOMMENDATION_TEXT"] = (
                         finding.metadata.Remediation.Recommendation.Text
                     )

docs/tutorials/aws/authentication.md

@@ -2,7 +2,11 @@
 
 Prowler requires AWS credentials to function properly. Authentication is available through the following methods:
 
+- Static Credentials
+- Assumed Role
+
 ## Required Permissions
+
 To ensure full functionality, attach the following AWS managed policies to the designated user or role:
 
 - `arn:aws:iam::aws:policy/SecurityAudit`
@@ -13,37 +17,114 @@ To ensure full functionality, attach the following AWS managed policies to the d
 For certain checks, additional read-only permissions are required. Attach the following custom policy to your role: [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json)
 
 
-## Configure AWS Credentials
+## Assume Role (Recommended)
 
-Use one of the following methods to authenticate:
+This method grants permanent access and is the recommended setup for production environments.
 
-```console
-aws configure
-```
+=== "CloudFormation"
 
-or
+    1. Download the [Prowler Scan Role Template](https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/permissions/templates/cloudformation/prowler-scan-role.yml)
 
-```console
-export AWS_ACCESS_KEY_ID="ASXXXXXXX"
-export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
-export AWS_SESSION_TOKEN="XXXXXXXXX"
-```
+        ![Prowler Scan Role Template](./img/prowler-scan-role-template.png)
 
-These credentials must be associated with a user or role with the necessary permissions to perform security checks.
+        ![Download Role Template](./img/download-role-template.png)
 
+    2. Open the [AWS Console](https://console.aws.amazon.com), search for **CloudFormation**
 
+        ![CloudFormation Search](./img/cloudformation-nav.png)
 
-## AWS Profiles
+    3. Go to **Stacks** and click "Create stack" > "With new resources (standard)"
 
-Specify a custom AWS profile using the following command:
+        ![Create Stack](./img/create-stack.png)
 
-```console
-prowler aws -p/--profile <profile_name>
-```
+    4. In **Specify Template**, choose "Upload a template file" and select the downloaded file
 
-## Multi-Factor Authentication (MFA)
+        ![Upload a template file](./img/upload-template-file.png)
+        ![Upload file from downloads](./img/upload-template-from-downloads.png)
 
-For IAM entities requiring Multi-Factor Authentication (MFA), use the `--mfa` flag. Prowler prompts for the following values to initiate a new session:
+    5. Click "Next", provide a stack name and the **External ID** shown in the Prowler Cloud setup screen
 
-- **ARN of your MFA device**
-- **TOTP (Time-Based One-Time Password)**
+        ![External ID](./img/prowler-cloud-external-id.png)
+        ![Stack Data](./img/fill-stack-data.png)
+
+        !!! info
+            An **External ID** is required when assuming the *ProwlerScan* role to comply with AWS [confused deputy prevention](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html).
+
+    6. Acknowledge the IAM resource creation warning and proceed
+
+        ![Stack Creation Second Step](./img/stack-creation-second-step.png)
+
+    7. Click "Submit" to deploy the stack
+
+        ![Click on submit](./img/submit-third-page.png)
+
+=== "Terraform"
+
+    To provision the scan role using Terraform:
+
+    1. Run the following commands:
+
+        ```bash
+        terraform init
+        terraform plan
+        terraform apply
+        ```
+
+    2. During `plan` and `apply`, provide the **External ID** when prompted, which is available in the Prowler Cloud or Prowler App UI:
+
+        ![Get External ID](./img/get-external-id-prowler-cloud.png)
+
+    > 💡 Note: Terraform will use the AWS credentials of the default profile.
+
+---
+
+## Credentials
+=== "Long term credentials"
+
+    1. Go to the [AWS Console](https://console.aws.amazon.com), open **CloudShell**
+
+        ![AWS CloudShell](./img/aws-cloudshell.png)
+
+    2. Run:
+
+        ```bash
+        aws iam create-access-key
+        ```
+
+    3. Copy the output containing:
+
+        - `AccessKeyId`
+        - `SecretAccessKey`
+
+        ![CloudShell Output](./img/cloudshell-output.png)
+
+=== "Short term credentials (Recommended)"
+
+    Use the [AWS Access Portal](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtogetcredentials.html) or the CLI:
+
+    1. Retrieve short-term credentials for the IAM identity using this command:
+
+        ```bash
+        aws sts get-session-token --duration-seconds 900
+        ```
+
+        ???+ note
+            Check the aws documentation [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/sts_example_sts_GetSessionToken_section.html)
+
+    2. Copy the output containing:
+
+        - `AccessKeyId`
+        - `SecretAccessKey`
+        - `SessionToken`
+
+        > Sample output:
+            ```json
+            {
+                "Credentials": {
+                    "AccessKeyId": "ASIAIOSFODNN7EXAMPLE",
+                    "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
+                    "SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE",
+                    "Expiration": "2020-05-19T18:06:10+00:00"
+                }
+            }
+            ```

docs/tutorials/aws/getting-started-aws.md

@@ -1,39 +1,31 @@
-# Getting Started with AWS on Prowler Cloud/App
+# Getting Started With AWS on Prowler
+
+## Prowler App
 
 <iframe width="560" height="380" src="https://www.youtube-nocookie.com/embed/RPgIWOCERzY" title="Prowler Cloud Onboarding AWS" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="1"></iframe>
 
-Set up your AWS account to enable security scanning using Prowler Cloud/App.
+> Walkthrough video onboarding an AWS Account using Assumed Role.
 
-## Requirements
-
-To configure your AWS account, you’ll need:
-
-1. Access to Prowler Cloud/App
-2. Properly configured AWS credentials (either static or via an assumed IAM role)
-
----
-
-## Step 1: Get Your AWS Account ID
+### Step 1: Get Your AWS Account ID
 
 1. Log in to the [AWS Console](https://console.aws.amazon.com)
 2. Locate your AWS account ID in the top-right dropdown menu
 
 ![Account ID detail](./img/aws-account-id.png)
 
----
 
-## Step 2: Access Prowler Cloud/App
+### Step 2: Access Prowler Cloud or Prowler App
 
 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](../prowler-app.md)
-2. Go to `Configuration` > `Cloud Providers`
+2. Go to "Configuration" > "Cloud Providers"
 
     ![Cloud Providers Page](../img/cloud-providers-page.png)
 
-3. Click `Add Cloud Provider`
+3. Click "Add Cloud Provider"
 
     ![Add a Cloud Provider](../img/add-cloud-provider.png)
 
-4. Select `Amazon Web Services`
+4. Select "Amazon Web Services"
 
     ![Select AWS Provider](./img/select-aws.png)
 
@@ -41,96 +33,39 @@ To configure your AWS account, you’ll need:
 
     ![Add account ID](./img/add-account-id.png)
 
-6. Choose your preferred authentication method (next step)
+6. Choose the preferred authentication method (next step)
 
     ![Select auth method](./img/select-auth-method.png)
 
----
 
-## Step 3: Set Up AWS Authentication
+### Step 3: Set Up AWS Authentication
 
-Before proceeding, choose your preferred authentication mode:
+Before proceeding, choose the preferred authentication mode:
 
-Credentials
+**Credentials**
 
-* Quick scan as current user ✅
-* No extra setup ✅
-* Credentials time out ❌
+* Quick scan as current user
+* No extra setup
+* Credentials time out
 
-Assumed Role
+**Assumed Role**
+
+* Preferred Setup
+* Permanent Credentials
+* Requires access to create role
 
-* Preferred Setup ✅
-* Permanent Credentials ✅
-* Requires access to create role ❌
 
 ---
 
-### 🔐 Assume Role (Recommended)
-
-![Assume Role Overview](./img/assume-role-overview.png)
+#### Assume Role (Recommended)
 
 This method grants permanent access and is the recommended setup for production environments.
 
-=== "CloudFormation"
+![Assume Role Overview](img/assume-role-overview.png)
 
-    1. Download the [Prowler Scan Role Template](https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/permissions/templates/cloudformation/prowler-scan-role.yml)
+For detailed instructions on how to create the role, see [Authentication > Assume Role](./authentication.md#assume-role-recommended).
 
-        ![Prowler Scan Role Template](./img/prowler-scan-role-template.png)
-
-        ![Download Role Template](./img/download-role-template.png)
-
-    2. Open the [AWS Console](https://console.aws.amazon.com), search for **CloudFormation**
-
-        ![CloudFormation Search](./img/cloudformation-nav.png)
-
-    3. Go to **Stacks** and click `Create stack` > `With new resources (standard)`
-
-        ![Create Stack](./img/create-stack.png)
-
-    4. In **Specify Template**, choose `Upload a template file` and select the downloaded file
-
-        ![Upload a template file](./img/upload-template-file.png)
-        ![Upload file from downloads](./img/upload-template-from-downloads.png)
-
-    5. Click `Next`, provide a stack name and the **External ID** shown in the Prowler Cloud setup screen
-
-        ![External ID](./img/prowler-cloud-external-id.png)
-        ![Stack Data](./img/fill-stack-data.png)
-
-        !!! info
-            An **External ID** is required when assuming the *ProwlerScan* role to comply with AWS [confused deputy prevention](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html).
-
-    6. Acknowledge the IAM resource creation warning and proceed
-
-        ![Stack Creation Second Step](./img/stack-creation-second-step.png)
-
-    7. Click `Submit` to deploy the stack
-
-        ![Click on submit](./img/submit-third-page.png)
-
-=== "Terraform"
-
-    To provision the scan role using Terraform:
-
-    1. Run the following commands:
-
-        ```bash
-        terraform init
-        terraform plan
-        terraform apply
-        ```
-
-    2. During `plan` and `apply`, you will be prompted for the **External ID**, which is available in the Prowler Cloud/App UI:
-
-        ![Get External ID](./img/get-external-id-prowler-cloud.png)
-
-    > 💡 Note: Terraform will use the AWS credentials of your default profile.
-
----
-
-### Finish Setup with Assume Role
-
-8. Once the role is created, go to the **IAM Console**, click on the `ProwlerScan` role to open its details:
+8. Once the role is created, go to the **IAM Console**, click on the "ProwlerScan" role to open its details:
 
     ![ProwlerScan role info](./img/prowler-scan-pre-info.png)
 
@@ -138,80 +73,69 @@ This method grants permanent access and is the recommended setup for production
 
     ![New Role Info](./img/get-role-arn.png)
 
-10. Paste the ARN into the corresponding field in Prowler Cloud/App
+10. Paste the ARN into the corresponding field in Prowler Cloud or Prowler App
 
     ![Input the Role ARN](./img/paste-role-arn-prowler.png)
 
-11. Click `Next`, then `Launch Scan`
+11. Click "Next", then "Launch Scan"
 
     ![Next button in Prowler Cloud](./img/next-button-prowler-cloud.png)
     ![Launch Scan](./img/launch-scan-button-prowler-cloud.png)
 
 ---
 
-### 🔑 Credentials (Static Access Keys)
+#### Credentials (Static Access Keys)
 
-You can also configure your AWS account using static credentials (not recommended for long-term use):
+AWS accounts can also be configured using static credentials (not recommended for long-term use):
 
 ![Connect via credentials](./img/connect-via-credentials.png)
 
-=== "Long term credentials"
+For detailed instructions on how to create the credentials, see [Authentication > Credentials](./authentication.md#credentials).
 
-    1. Go to the [AWS Console](https://console.aws.amazon.com), open **CloudShell**
+1. Complete the form in Prowler Cloud or Prowler App and click "Next"
 
-        ![AWS CloudShell](./img/aws-cloudshell.png)
+    ![Filled credentials page](./img/prowler-cloud-credentials-next.png)
 
-    2. Run:
+2. Click "Launch Scan"
 
-        ```bash
-        aws iam create-access-key
-        ```
+    ![Launch Scan](./img/launch-scan-button-prowler-cloud.png)
 
-    3. Copy the output containing:
+---
 
-        - `AccessKeyId`
-        - `SecretAccessKey`
+## Prowler CLI
 
-        ![CloudShell Output](./img/cloudshell-output.png)
+### Configure AWS Credentials
 
-    > ⚠️ Save these credentials securely and paste them into the Prowler Cloud/App setup screen.
+To authenticate with AWS, use one of the following methods:
 
-=== "Short term credentials (Recommended)"
+```console
+aws configure
+```
 
-    You can use your [AWS Access Portal](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtogetcredentials.html) or the CLI:
+or
 
-    1. Retrieve short-term credentials for the IAM identity using this command:
+```console
+export AWS_ACCESS_KEY_ID="ASXXXXXXX"
+export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
+export AWS_SESSION_TOKEN="XXXXXXXXX"
+```
 
-        ```bash
-        aws sts get-session-token --duration-seconds 900
-        ```
+These credentials must be associated with a user or role with the necessary permissions to perform security checks.
 
-        ???+ note
-            Check the aws documentation [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/sts_example_sts_GetSessionToken_section.html)
+More details on Assume Role settings from the CLI in [Assume Role](./role-assumption.md) page.
 
-    2. Copy the output containing:
 
-        - `AccessKeyId`
-        - `SecretAccessKey`
+### AWS Profiles
 
-        > Sample output:
-            ```json
-            {
-                "Credentials": {
-                    "AccessKeyId": "ASIAIOSFODNN7EXAMPLE",
-                    "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
-                    "SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE",
-                    "Expiration": "2020-05-19T18:06:10+00:00"
-                }
-            }
-            ```
+To use a custom AWS profile, specify it with the following command:
 
-    > ⚠️ Save these credentials securely and paste them into the Prowler Cloud/App setup screen.
+```console
+prowler aws -p/--profile <profile_name>
+```
 
-Complete the form in Prowler Cloud/App and click `Next`
+### Multi-Factor Authentication (MFA)
 
-![Filled credentials page](./img/prowler-cloud-credentials-next.png)
+For IAM entities requiring Multi-Factor Authentication (MFA), use the `--mfa` flag. Prowler prompts for the following values to initiate a new session:
 
-Click `Launch Scan`
-
-![Launch Scan](./img/launch-scan-button-prowler-cloud.png)
+- **ARN of your MFA device**
+- **TOTP (time-based one-time password)**

docs/tutorials/aws/role-assumption.md

@@ -1,4 +1,4 @@
-# AWS Assume Role in Prowler
+# AWS Assume Role in Prowler (CLI)
 
 ## Authentication Overview
 

docs/tutorials/mongodbatlas/authentication.md

@@ -42,4 +42,4 @@ prowler mongodbatlas
       - Note the public key and private key
       - Store credentials securely
 
-For more details about MongoDB Atlas, see the [MongoDB Atlas Tutorial](../tutorials/mongodbatlas/getting-started-mongodbatlas.md).
+For more details about MongoDB Atlas, see the [MongoDB Atlas Tutorial](./getting-started-mongodbatlas.md).

docs/tutorials/prowler-app-jira-integration.md

@@ -0,0 +1,189 @@
+# Jira Integration
+
+Prowler App enables automatic export of security findings to Jira, providing seamless integration with Atlassian's work item tracking and project management platform. This comprehensive guide demonstrates how to configure and manage Jira integrations to streamline security incident management and enhance team collaboration across security workflows.
+
+Integrating Prowler App with Jira provides:
+
+* **Streamlined management:** Convert security findings directly into actionable Jira work items
+* **Enhanced team collaboration:** Leverage existing project management workflows for security remediation
+* **Automated ticket creation:** Reduce manual effort in tracking and assigning security work items
+
+## How It Works
+
+When enabled and configured:
+
+1. Security findings can be manually sent to Jira from the Findings table.
+2. Each finding creates a Jira work item with all the check's metadata, including guidance on how to remediate it.
+
+## Configuration
+
+To configure Jira integration in Prowler App:
+
+1. Navigate to **Integrations** in the Prowler App interface
+2. Locate the **Jira** card and click **Manage**, then select **Add integration**
+
+    ![Integrations tab](./img/jira/integrations-tab.png)
+
+3. Complete the integration settings:
+    * **Jira domain:** Enter the Jira domain (e.g., from `https://your-domain.atlassian.net` -> `your-domain`)
+    * **Email:** Your Jira account email
+    * **API Token:** API token with the following scopes: `read:jira-user`, `read:jira-work`, `write:jira-work`
+        ![Connection settings](./img/jira/connection-settings.png)
+
+!!! note "Generate Jira API Token"
+    To generate a Jira API token, visit: https://id.atlassian.com/manage-profile/security/api-tokens
+
+
+Once configured successfully, the integration is ready to send findings to Jira.
+
+## Sending Findings to Jira
+
+### Manual Export
+
+To manually send individual findings to Jira:
+
+1. Navigate to the **Findings** section in Prowler App
+2. Select one finding you want to export
+3. Click the action button on the table row and select **Send to Jira**
+4. Select the Jira integration and project
+5. Click **Send to Jira**
+
+    ![Send to Jira modal](./img/jira/send-to-jira-modal.png)
+
+## Integration Status
+
+Monitor and manage your Jira integrations through the management interface:
+
+1. Review configured integrations in the integrations dashboard
+2. Each integration displays:
+
+    - **Connection Status:** Connected or Disconnected indicator
+    - **Instance Information:** Jira domain and last checked timestamp
+
+### Actions
+
+Each Jira integration provides management actions through dedicated buttons:
+
+| Button | Purpose | Available Actions | Notes |
+|--------|---------|------------------|-------|
+| **Test** | Verify integration connectivity | • Test Jira API access<br/>• Validate credentials<br/>• Check project permissions<br/>• Verify work item creation capability | Results displayed in notification message |
+| **Credentials** | Update authentication settings | • Change API token<br/>• Update email<br/>• Update Jira domain | Click "Update Credentials" to save changes |
+| **Enable/Disable** | Toggle integration status | • Enable or disable integration<br/>| Status change takes effect immediately |
+| **Delete** | Remove integration permanently | • Permanently delete integration<br/>• Remove all configuration data | ⚠️ **Cannot be undone** - confirm before deleting |
+
+## Troubleshooting
+
+### Connection test fails
+
+- Verify Jira instance domain is correct and accessible
+- Confirm API token or credentials are valid
+- Ensure API access is enabled in Jira settings and the needed scopes are granted
+
+### Check task status (API)
+
+If the Jira issue does not appear in your Jira project, follow these steps to verify the export task status via the API.
+
+!!! note
+    Replace `http://localhost:8080` with the base URL where your Prowler API is accessible (for example, `https://api.yourdomain.com`).
+
+1) Get an access token (replace email and password):
+
+```
+curl --location 'http://localhost:8080/api/v1/tokens' \
+  --header 'Content-Type: application/vnd.api+json' \
+  --header 'Accept: application/vnd.api+json' \
+  --data-raw '{
+    "data": {
+      "type": "tokens",
+      "attributes": {
+        "email": "YOUR_USER_EMAIL",
+        "password": "YOUR_USER_PASSWORD"
+      }
+    }
+  }'
+```
+
+2) List tasks filtered by the Jira task (`integration-jira`) using the access token:
+
+```
+curl --location --globoff 'http://localhost:8080/api/v1/tasks?filter[name]=integration-jira' \
+  --header 'Accept: application/vnd.api+json' \
+  --header 'Authorization: Bearer ACCESS_TOKEN' | jq
+```
+
+!!! note
+    If you don’t have `jq` installed, run the command without `| jq`.
+
+3) Share the output so we can help. A typical result will look like:
+
+```
+{
+  "links": {
+    "first": "https://api.dev.prowler.com/api/v1/tasks?page%5Bnumber%5D=1",
+    "last": "https://api.dev.prowler.com/api/v1/tasks?page%5Bnumber%5D=122",
+    "next": "https://api.dev.prowler.com/api/v1/tasks?page%5Bnumber%5D=2",
+    "prev": null
+  },
+  "data": [
+    {
+      "type": "tasks",
+      "id": "9a79ab21-39ae-4161-9f6e-2844eb0da0fb",
+      "attributes": {
+        "inserted_at": "2025-09-09T08:11:38.643620Z",
+        "completed_at": "2025-09-09T08:11:41.264285Z",
+        "name": "integration-jira",
+        "state": "completed",
+        "result": {
+          "created_count": 0,
+          "failed_count": 1
+        },
+        "task_args": {
+          "integration_id": "a476c2c0-0a00-4720-bfb9-286e9eb5c7bd",
+          "project_key": "PRWLR",
+          "issue_type": "Task",
+          "finding_ids": [
+            "01992d53-3af7-7759-be48-68fc405391e6"
+          ]
+        },
+        "metadata": {}
+      }
+    },
+    {
+      "type": "tasks",
+      "id": "5f525135-9d37-4b01-9ac8-afeaf8793eac",
+      "attributes": {
+        "inserted_at": "2025-09-09T08:07:22.184164Z",
+        "completed_at": "2025-09-09T08:07:24.909185Z",
+        "name": "integration-jira",
+        "state": "completed",
+        "result": {
+          "created_count": 1,
+          "failed_count": 0
+        },
+        "task_args": {
+          "integration_id": "a476c2c0-0a00-4720-bfb9-286e9eb5c7bd",
+          "project_key": "JIRA",
+          "issue_type": "Task",
+          "finding_ids": [
+            "0198f018-8b7b-7154-a509-1a2b1ffba02d"
+          ]
+        },
+        "metadata": {}
+      }
+    }
+  ],
+  "meta": {
+    "pagination": {
+      "page": 1,
+      "pages": 122,
+      "count": 1214
+    },
+    "version": "v1"
+  }
+}
+```
+
+How to read it:
+
+- "created_count": number of Jira issues successfully created.
+- "failed_count": number of Jira issues that could not be created. If `failed_count > 0` or the issue does not appear in Jira, please contact us so we can assist while detailed logs are not available through the UI.

docs/tutorials/prowler-app.md

@@ -1,6 +1,6 @@
 # Prowler App
 
-**Prowler App** is a user-friendly interface for Prowler CLI, providing a visual dashboard to monitor your cloud security posture. This tutorial will guide you through setting up and using Prowler App.
+**Prowler App** is a web application that simplifies running Prowler. This tutorial will guide you through setting up and using it.
 
 ## Accessing Prowler App and API Documentation
 

mkdocs.yml

@@ -70,6 +70,7 @@ nav:
           - Integrations:
             - Amazon S3: tutorials/prowler-app-s3-integration.md
             - AWS Security Hub: tutorials/prowler-app-security-hub-integration.md
+            - Jira: tutorials/prowler-app-jira-integration.md
           - Lighthouse AI: tutorials/prowler-app-lighthouse.md
           - Tutorials:
             - SSO with Entra: tutorials/prowler-app-sso-entra.md
@@ -99,7 +100,7 @@ nav:
         - AWS:
             - Getting Started: tutorials/aws/getting-started-aws.md
             - Authentication: tutorials/aws/authentication.md
-            - Assume Role: tutorials/aws/role-assumption.md
+            - Assume Role (CLI): tutorials/aws/role-assumption.md
             - AWS Organizations: tutorials/aws/organizations.md
             - AWS Regions and Partitions: tutorials/aws/regions-and-partitions.md
             - Tag-based Scan: tutorials/aws/tag-based-scan.md
@@ -161,6 +162,7 @@ nav:
           - Integration Tests: developer-guide/integration-testing.md
         - Debugging: developer-guide/debugging.md
         - Configurable Checks: developer-guide/configurable-checks.md
+        - Check Metadata Writting Guidelines: developer-guide/check-metadata-guidelines.md
   - Security: security.md
   - Contact Us: contact.md
   - Troubleshooting: troubleshooting.md

prowler/CHANGELOG.md

@@ -5,8 +5,9 @@ All notable changes to the **Prowler SDK** are documented in this file.
 ## [v5.13.0] (Prowler UNRELEASED)
 
 ### Added
-
+- Support for markdown metadata fields in Dashboard [(#8667)](https://github.com/prowler-cloud/prowler/pull/8667)
 ### Changed
+- Update AWS Neptune service metadata to new format [(#8494)](https://github.com/prowler-cloud/prowler/pull/8494)
 
 ### Fixed
 

prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.metadata.json

@@ -1,29 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_backup_enabled",
-  "CheckTitle": "Check for Neptune Clusters Backup Retention Period.",
-  "CheckType": [],
+  "CheckTitle": "Neptune cluster has automated backups enabled with retention period equal to or greater than the configured minimum",
+  "CheckType": [
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+  ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRdsDbCluster",
-  "Description": "Check if Neptune Clusters have backup enabled.",
-  "Risk": "Ensure that your Amazon Neptune graph database clusters have set a minimum backup retention period of 7 days or greater in order to achieve your organization compliance requirements. The retention period represents the number of days to retain automated snapshots.",
-  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-5",
+  "Description": "Neptune DB cluster automated backup is enabled and retention days are more than the required minimum retention period (default to `7` days).",
+  "Risk": "**Insufficient backup retention** reduces the ability to recover from data corruption, accidental deletion, or ransomware, impacting **availability** and **integrity**.\n\n- Prevents point-in-time recovery to required dates\n- Increases downtime, irreversible data loss, and compliance violations",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-5",
+    "https://trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/sufficient-backup-retention-period.html",
+    "https://support.icompaas.com/support/solutions/articles/62000233327-check-for-neptune-clusters-backup-retention-period",
+    "https://asecure.cloud/a/p_configrule_neptune_cluster_backup_retention_check/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --backup-retention-period 7",
-      "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/sufficient-backup-retention-period.html#",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/sufficient-backup-retention-period.html#",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/sufficient-backup-retention-period.html#"
+      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --backup-retention-period 7 --apply-immediately",
+      "NativeIaC": "```yaml\nParameters:\n  DBClusterId:\n    Type: String\nResources:\n  NeptuneCluster:\n    Type: AWS::Neptune::DBCluster\n    Properties:\n      DBClusterIdentifier: !Ref DBClusterId\n      BackupRetentionPeriod: 7  # Enable automated backups with 7-day retention minimum\n```",
+      "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n  cluster_identifier      = var.cluster_id\n  backup_retention_period = 7  # Enable automated backups with 7-day retention minimum\n}\n```",
+      "Other": "1. Sign in to the AWS Management Console\n2. Services → Amazon Neptune → Databases\n3. Select the DB cluster and click Modify\n4. In Backup retention period set the value to 7 (or higher)\n5. Choose Apply immediately and click Modify cluster"
     },
     "Recommendation": {
-      "Text": "Enable automated backup for production data. Define a retention period and periodically test backup restoration. A Disaster Recovery process should be in place to govern Data Protection approach.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-5"
+      "Text": "Ensure automated backups are enabled and retention aligns with your **RPO/RTO** and regulatory requirements (at least `7` days).\n\n- Define backup lifecycle and storage retention policies\n- Regularly test restore procedures and monitor backup health\n- Incorporate backups into Disaster Recovery and retention governance",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_backup_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/neptune/neptune_cluster_copy_tags_to_snapshots/neptune_cluster_copy_tags_to_snapshots.metadata.json

@@ -1,33 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_copy_tags_to_snapshots",
-  "CheckTitle": "Check if Neptune DB clusters are configured to copy tags to snapshots.",
+  "CheckTitle": "Neptune DB cluster is configured to copy tags to snapshots.",
   "CheckType": [
     "Software and Configuration Checks/AWS Security Best Practices"
   ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:cluster:db-cluster-identifier",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsRdsDbCluster",
-  "Description": "This check ensures that Neptune DB clusters are configured to copy all tags to snapshots when the snapshots are created.",
-  "Risk": "If tags are not copied to snapshots, the snapshots may lack necessary metadata for identification, governance, and access control, leading to potential mismanagement and security risks.",
-  "RelatedUrl": "https://docs.aws.amazon.com/neptune/latest/userguide/tagging.html#tagging-overview",
+  "Description": "Neptune DB cluster is configured to copy all tags to snapshots when snapshots are created.",
+  "Risk": "**Missing snapshot tags** weakens governance across confidentiality, integrity, and availability.\n\n- **Access control**: Tag-based IAM conditions may not apply to snapshots, enabling unauthorized restore or copy\n- **Operational**: Recovery, retention, and cost tracking can fail due to unidentifiable or orphaned snapshots",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/neptune/latest/userguide/tagging.html#tagging-overview",
+    "https://www.cloudanix.com/docs/aws/audit/rdsmonitoring/rules/neptune_cluster_copy_tags_to_snapshot_enabled",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-8",
+    "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <db-cluster-identifier> --copy-tags-to-snapshot --apply-immediately",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-8",
-      "Terraform": ""
+      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --copy-tags-to-snapshot --apply-immediately",
+      "NativeIaC": "```yaml\nResources:\n  NeptuneCluster:\n    Type: AWS::RDS::DBCluster\n    Properties:\n      DBClusterIdentifier: <DB_CLUSTER_ID>\n      EngineVersion: neptune\n      CopyTagsToSnapshot: true  # Inherit tags for snapshot governance and access control\n```",
+      "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n  cluster_identifier     = \"<DB_CLUSTER_ID>\"\n  copy_tags_to_snapshot  = true  # Inherit tags for snapshot governance and access control\n}\n```",
+      "Other": "1. Sign in to the AWS Management Console and open Amazon Neptune\n2. Click Clusters and select the cluster\n3. Click Modify\n4. In Backup, enable \"Copy tags to snapshots\"\n5. Check \"Apply immediately\"\n6. Click Modify Cluster"
     },
     "Recommendation": {
-      "Text": "Configure your Neptune DB clusters to copy tags to snapshots when the snapshots are created.",
-      "Url": "https://docs.aws.amazon.com/neptune/latest/userguide/tagging.html#tagging-overview"
+      "Text": "Preserve metadata by enabling tag inheritance for snapshots and enforcing a consistent tagging strategy.\n\n- Adopt a standardized tag taxonomy\n- Use tag-based access controls and apply least privilege\n- Automate tagging and policy checks in provisioning to prevent untagged snapshots",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_copy_tags_to_snapshots"
     }
   },
-  "Categories": [
-    "trustboundaries"
-  ],
+  "Categories": [],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/neptune/neptune_cluster_deletion_protection/neptune_cluster_deletion_protection.metadata.json

@@ -1,29 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_deletion_protection",
-  "CheckTitle": "Check if Neptune Clusters storage has deletion protection enabled.",
-  "CheckType": [],
+  "CheckTitle": "Neptune cluster has deletion protection enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Destruction"
+  ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AwsRdsDbCluster",
-  "Description": "Check if Neptune Clusters storage has deletion protection enabled.",
-  "Risk": "Enabling cluster deletion protection offers an additional layer of protection against accidental database deletion or deletion by an unauthorized user. A Neptune DB cluster can't be deleted while deletion protection is enabled. You must first disable deletion protection before a delete request can succeed.",
-  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-4",
+  "ResourceType": "Other",
+  "Description": "Neptune DB cluster has **deletion protection** enabled.",
+  "Risk": "Absence of **deletion protection** weakens **availability** and **integrity**: clusters can be removed by accidental admin actions, rogue automation, or compromised credentials.\n\nCluster deletion causes immediate service outage, potential permanent data loss, and extended recovery time if backups or restores are insufficient.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-4"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_IDENTIFIER> --deletion-protection --apply-immediately",
+      "NativeIaC": "```yaml\nResources:\n  NeptuneCluster:\n    Type: AWS::Neptune::DBCluster\n    Properties:\n      DBClusterIdentifier: <CLUSTER_ID>\n      DeletionProtection: true  # Prevent accidental or malicious cluster deletion\n```",
+      "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n  cluster_identifier  = \"<CLUSTER_ID>\"\n  deletion_protection = true  # Prevent accidental or malicious cluster deletion\n}\n```",
+      "Other": "1. Sign in to the AWS Management Console and open Amazon Neptune\n2. In the navigation pane, choose Databases\n3. Select the DB cluster and choose Modify\n4. Enable Deletion protection\n5. Choose Apply immediately (if shown) and then Modify DB cluster"
     },
     "Recommendation": {
-      "Text": "Enable deletion protection for production Neptune Clusters.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-4"
+      "Text": "Enable **deletion protection** for production Neptune clusters and apply the principles of **least privilege** and **separation of duties** for delete operations.\n\nEnforce change-control approvals, restrict delete permissions to audited roles, and limit automated workflows that can perform destructive actions to prevent accidental or malicious deletions.",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_deletion_protection"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/neptune/neptune_cluster_iam_authentication_enabled/neptune_cluster_iam_authentication_enabled.metadata.json

@@ -1,29 +1,41 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_iam_authentication_enabled",
-  "CheckTitle": "Check if Neptune Clusters have IAM authentication enabled.",
-  "CheckType": [],
+  "CheckTitle": "Neptune cluster has IAM authentication enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "TTPs/Credential Access"
+  ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRdsDbCluster",
-  "Description": "Check if Neptune Clusters have IAM authentication enabled.",
-  "Risk": "Ensure that IAM Database Authentication feature is enabled for your Amazon Neptune database clusters in order to make use of AWS Identity and Access Management (IAM) service to manage database access.",
-  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-7",
+  "Description": "Neptune DB clusters are evaluated for **IAM database authentication**. \n\nIf this setting is enabled, the cluster supports IAM-based authentication.\nIf disabled, the cluster requires traditional database credentials instead.",
+  "Risk": "**Disabled IAM database authentication** weakens confidentiality and integrity of the database.\n\n- Static or embedded DB credentials can be stolen or reused, enabling unauthorized queries and data exfiltration\n- Attackers may bypass centralized access controls, escalate privileges, and move laterally without IAM-based audit trails",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-7",
+    "https://docs.aws.amazon.com/config/latest/developerguide/neptune-cluster-iam-database-authentication.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/iam-db-authentication.html#",
+    "https://hub.steampipe.io/plugins/turbot/terraform/queries/neptune/neptune_cluster_iam_authentication_enabled"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --enable-iam-database-authentication",
-      "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/iam-db-authentication.html#",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/iam-db-authentication.html#",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/iam-db-authentication.html#"
+      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --enable-iam-database-authentication --apply-immediately",
+      "NativeIaC": "```yaml\nResources:\n  NeptuneCluster:\n    Type: AWS::Neptune::DBCluster\n    Properties:\n      DBClusterIdentifier: <DB_CLUSTER_ID>\n      IamAuthEnabled: true  # Enable IAM authentication instead of static DB credentials\n```",
+      "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n  cluster_identifier                  = \"<DB_CLUSTER_ID>\"\n  iam_database_authentication_enabled = true  # Enable IAM authentication instead of static DB credentials\n}\n```",
+      "Other": "1. Sign in to the AWS Management Console and open Amazon Neptune > Databases\n2. Select the DB cluster and choose **Actions** > **Modify**\n3. In **Authentication**, enable **IAM DB authentication** and check **Apply immediately**\n4. Click **Continue** then **Modify DB cluster**"
     },
     "Recommendation": {
-      "Text": "Enable IAM authentication for Neptune Clusters.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-7"
+      "Text": "Adopt **IAM database authentication** and centralized identity management to remove static DB credentials and improve auditability.\n\n- Enforce **least privilege** for database roles\n- Use short-lived credentials, centralized rotation and logging\n- Apply defense-in-depth and integrate DB access with IAM for accountability",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_iam_authentication_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/neptune/neptune_cluster_integration_cloudwatch_logs/neptune_cluster_integration_cloudwatch_logs.metadata.json

@@ -1,32 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_integration_cloudwatch_logs",
-  "CheckTitle": "Check if Neptune Clusters have audit cloudwatch logs enabled.",
+  "CheckTitle": "Neptune cluster has CloudWatch audit logs enabled",
   "CheckType": [
-    "Software and Configuration Checks, AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AwsRdsDbCluster",
-  "Description": "Check if Neptune Clusters have audit cloudwatch logs enabled.",
-  "Risk": "If audit logs are not enabled, it is difficult to determine the root cause of security incidents.",
-  "RelatedUrl": "https://docs.aws.amazon.com/neptune/latest/userguide/auditing.html",
+  "ResourceType": "Other",
+  "Description": "Neptune DB cluster is inspected for CloudWatch export of **audit** events. The finding indicates whether the cluster publishes `audit` logs to CloudWatch; a failed status in the report means the `audit` export is not enabled and audit records are not being forwarded to CloudWatch for centralized logging and review.",
+  "Risk": "Missing **audit logs** reduces **detectability** and **accountability**: \n\n- Investigators cannot reconstruct queries, client origins, or timeline\n- Unauthorized queries, data exfiltration, or privilege misuse may go undetected\n\nThis degrades confidentiality and integrity and slows incident response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/neptune/latest/userguide/auditing.html",
+    "https://docs.aws.amazon.com/neptune/latest/userguide/cloudwatch-logs.html",
+    "https://cloudanix.com/docs/aws/audit/rdsmonitoring/rules/neptune_cluster_cloudwatch_log_export_enabled_remediation",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-2"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <value> --cloudwatch-logs-export-configuration '{\"EnableLogTypes\":[\"audit\"]}'",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-2",
-      "Terraform": ""
+      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_IDENTIFIER> --cloudwatch-logs-export-configuration '{\"EnableLogTypes\":[\"audit\"]}'",
+      "NativeIaC": "```yaml\nResources:\n  NeptuneCluster:\n    Type: AWS::Neptune::DBCluster\n    Properties:\n      DBClusterIdentifier: \"<DB_CLUSTER_IDENTIFIER>\"\n      EnableCloudwatchLogsExports:\n        - audit  # Export audit logs to CloudWatch for monitoring and forensics\n```",
+      "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n  cluster_identifier               = \"<db_cluster_identifier>\"\n  enabled_cloudwatch_logs_exports = [\"audit\"]  # Export audit logs to CloudWatch for monitoring and forensics\n}\n```",
+      "Other": "1. Sign in to the AWS Management Console and open Amazon Neptune\n2. Go to Databases and select the Neptune DB cluster\n3. Actions > Modify\n4. In Log exports, check \"Audit\"\n5. Continue > Modify DB Cluster"
     },
     "Recommendation": {
-      "Text": "Enable audit logs for Neptune Clusters.",
-      "Url": "https://docs.aws.amazon.com/neptune/latest/userguide/cloudwatch-logs.html"
+      "Text": "Enable and centralize **audit logging** for Neptune by exporting `audit` events to CloudWatch Logs and integrating with monitoring or SIEM.\n\n- Enforce **least privilege** on log access\n- Configure retention, encryption, and alerting for anomalous queries\n\nThis supports proactive detection and forensic readiness.",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_integration_cloudwatch_logs"
     }
   },
   "Categories": [
-    "logging"
+    "logging",
+    "forensics-ready"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/neptune/neptune_cluster_multi_az/neptune_cluster_multi_az.metadata.json

@@ -1,30 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_multi_az",
-  "CheckTitle": "Check if Neptune Clusters have multi-AZ enabled.",
-  "CheckType": [],
+  "CheckTitle": "Neptune cluster has Multi-AZ enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Denial of Service"
+  ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRdsDbCluster",
-  "Description": "Check if Neptune Clusters have multi-AZ enabled.",
-  "Risk": "Ensure that your Amazon Neptune graph database clusters are using Multi-AZ deployment configurations to enhance High Availability (HA) through automatic failover to read replicas in the event of a failure such as an Availability Zone (AZ) outage, an internal hardware or network outage, a software failure or in case of planned system maintenance.",
-  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-9",
+  "Description": "Amazon Neptune DB clusters are evaluated for `Multi-AZ` deployment by checking whether the cluster has read-replica instances distributed across multiple Availability Zones.\n\nA failing result indicates the cluster is deployed in a single AZ and lacks read-replicas that enable automatic promotion and cross-AZ failover.",
+  "Risk": "**Single-AZ deployment** creates a clear availability single point of failure.\n\n- **Availability**: AZ outage or maintenance can cause prolonged downtime until the primary is rebuilt.\n- **Integrity/Recovery**: Manual recovery increases risk of configuration errors and longer RTOs, impacting operations and compliance.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-9",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/multi-az.html#"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/multi-az.html#",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/multi-az.html#",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/multi-az.html#"
+      "NativeIaC": "```yaml\nResources:\n NeptuneCluster:\n Type: AWS::Neptune::DBCluster\n Properties:\n DBClusterIdentifier: \"<DB_CLUSTER_IDENTIFIER>\"\n # Deploy across multiple AZs for high availability and failover\n AvailabilityZones:\n - \"<AZ_1>\"\n - \"<AZ_2>\"\n - \"<AZ_3>\"\n```",
+      "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example\" {\n cluster_identifier = \"<db_cluster_identifier>\"\n availability_zones = [\"<AZ_1>\", \"<AZ_2>\", \"<AZ_3>\"]  # Deploy across multiple AZs for high availability\n}\n```",
+      "Other": ""
     },
     "Recommendation": {
-      "Text": "Enable multi-AZ deployment for production Neptune Clusters.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-9"
+      "Text": "Adopt a **high availability** deployment model for production Neptune clusters by placing read-replicas in separate Availability Zones to avoid single points of failure.\n\nRegularly test automated failover and combine HA with robust backup and recovery practices as part of a defense-in-depth strategy.",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_multi_az"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/neptune/neptune_cluster_public_snapshot/neptune_cluster_public_snapshot.metadata.json

@@ -1,26 +1,34 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_public_snapshot",
-  "CheckTitle": "Check if NeptuneDB manual cluster snapshot is public.",
-  "CheckType": [],
+  "CheckTitle": "NeptuneDB cluster snapshot is not publicly shared",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Effects/Data Exposure",
+    "TTPs/Initial Access/Unauthorized Access"
+  ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
   "ResourceType": "AwsRdsDbClusterSnapshot",
-  "Description": "Check if NeptuneDB manual cluster snapshot is public.",
-  "Risk": "If you share an unencrypted manual snapshot as public, the snapshot is available to all AWS accounts. Public snapshots may result in unintended data exposure.",
-  "RelatedUrl": "https://docs.aws.amazon.com/neptune/latest/userguide/security-considerations.html",
+  "Description": "Neptune DB manual cluster snapshot is evaluated to determine if its restore attributes allow access to all AWS accounts *(public)*.\n\nA failed status in the report means the snapshot is publicly shared and can be copied or restored by any AWS account; **PASS** means it is not shared publicly.",
+  "Risk": "**Public snapshots** compromise confidentiality of stored data and metadata.\n\nAttackers or third parties can:\n- Copy or restore snapshots to external accounts.\n- Access sensitive data contained in the snapshot.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-3",
+    "https://docs.aws.amazon.com/config/latest/developerguide/neptune-cluster-snapshot-public-prohibited.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws neptune modify-db-cluster-snapshot-attribute --db-cluster-snapshot-identifier <snapshot_id> --attribute-name restore --values-to-remove all",
       "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-3",
-      "Terraform": ""
+      "Terraform": "",
+      "Other": "1. Sign in to the AWS Management Console and open the Amazon RDS console\n2. In the left navigation, choose Snapshots > DB cluster snapshots\n3. Select the snapshot, choose Actions > Manage snapshot permissions\n4. In the permissions dialog remove the Public/all-accounts permission and click Save"
     },
     "Recommendation": {
-      "Text": "To remove public access from a manual snapshot, follow the AWS documentation on NeptuneDB snapshots.",
-      "Url": "https://docs.aws.amazon.com/neptune/latest/userguide/security-considerations.html"
+      "Text": "Avoid public sharing and apply **least privilege** when granting snapshot access: share only with specific AWS accounts or roles.\n\nUse **encryption**, enforce automated policies and regular audits, and apply **separation of duties** and tagging to control and track snapshot access.",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_public_snapshot"
     }
   },
   "Categories": [

prowler/providers/aws/services/neptune/neptune_cluster_snapshot_encrypted/neptune_cluster_snapshot_encrypted.metadata.json

@@ -1,28 +1,34 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_snapshot_encrypted",
-  "CheckTitle": "Check if Neptune DB cluster snapshots are encrypted at rest.",
+  "CheckTitle": "Neptune DB cluster snapshot is encrypted at rest",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices/Encryption at Rest",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:cluster-snapshot:db-cluster-snapshot-identifier",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRdsDbClusterSnapshot",
-  "Description": "This check ensures that Neptune DB cluster snapshots are encrypted at rest to protect sensitive data from unauthorized access.",
-  "Risk": "If Neptune DB cluster snapshots are not encrypted, sensitive data might be exposed in case of unauthorized access, leading to potential data breaches and non-compliance with data protection regulations.",
-  "RelatedUrl": "https://docs.aws.amazon.com/neptune/latest/userguide/backup-restore-create-snapshot.html",
+  "Description": "Neptune DB cluster snapshot is encrypted at rest. The evaluation looks at whether each snapshot's encrypted attribute is enabled, confirming that the data is protected while stored.",
+  "Risk": "**Unencrypted Neptune snapshots** undermine data confidentiality. If accessed or shared due to compromised credentials or misconfiguration, attackers can restore or download snapshot contents, enabling **data exfiltration**, and exposure of sensitive records. This weakens overall data protection posture.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-6",
+    "https://docs.aws.amazon.com/neptune/latest/userguide/backup-restore-share-snapshot.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws rds copy-db-cluster-snapshot --source-db-cluster-snapshot-identifier <source-snapshot> --target-db-cluster-snapshot-identifier <encrypted-snapshot> --kms-key-id <kms-key-id>",
       "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-6",
-      "Terraform": ""
+      "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"restored\" {\n  cluster_identifier  = \"restored-cluster\"\n  snapshot_identifier = \"<source-snapshot>\"\n  storage_encrypted   = true  # Ensure restored cluster from snapshot is encrypted\n}\n```",
+      "Other": "1. Sign in to the AWS Management Console and open Amazon Neptune\n2. In the left pane choose **Snapshots**\n3. Select the unencrypted snapshot and click **Actions** > **Restore snapshot**\n4. In the Restore page enable **Encryption** and select a KMS key\n5. Click **Restore DB cluster**\n6. After the cluster is restored, create a new snapshot of the restored (encrypted) cluster"
     },
     "Recommendation": {
-      "Text": "Ensure that all Neptune DB cluster snapshots are encrypted at rest by enabling encryption on the cluster before creating snapshots or by copying unencrypted snapshots to encrypted ones.",
-      "Url": "https://docs.aws.amazon.com/neptune/latest/userguide/backup-restore-create-snapshot.html"
+      "Text": "Protect snapshot data by enforcing **encryption at rest** and strong key governance.\n\n- Use **customer-managed keys** with controlled lifecycle and rotation\n- Apply **least privilege** to snapshot access and sharing\n- Prevent creation of unencrypted snapshots via organizational configuration and policy controls",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_snapshot_encrypted"
     }
   },
   "Categories": [

prowler/providers/aws/services/neptune/neptune_cluster_storage_encrypted/neptune_cluster_storage_encrypted.metadata.json

@@ -1,29 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_storage_encrypted",
-  "CheckTitle": "Check if Neptune Clusters storage is encrypted at rest.",
-  "CheckType": [],
+  "CheckTitle": "Neptune cluster storage is encrypted at rest",
+  "CheckType": [
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Sensitive Data Identifications/Security"
+  ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
+  "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "AwsRdsDbCluster",
-  "Description": "Check if Neptune Clusters storage is encrypted at rest.",
-  "Risk": "Ensure that the data available on your Amazon Neptune database instances is encrypted in order to meet regulatory requirements and prevent unauthorized users from accessing sensitive information. Encryption provides an additional layer of protection by securing your Neptune databases from unauthorized access to the underlying storage. Neptune is a fast, scalable, highly secure and fully-managed graph database service that makes it easy to build and run applications that work with deeply connected datasets.",
-  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-1",
+  "ResourceType": "Other",
+  "Description": "Neptune DB cluster is evaluated for **encryption at rest**. Indicating the cluster's underlying storage is not encrypted.",
+  "Risk": "**Unencrypted Neptune storage** reduces confidentiality of stored data and metadata and increases attack surface.\n\nPossible impacts:\n- Unauthorized access or data exfiltration from underlying volumes or snapshots\n- Greater blast radius from leaked or shared snapshots",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-1",
+    "https://docs.aws.amazon.com/neptune/latest/userguide/encrypt.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/general_18#cloudformation",
-      "Other": "https://docs.prowler.com/checks/aws/general-policies/general_18/",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/general_18#terraform"
+      "NativeIaC": "```yaml\nResources:\n  EncryptedNeptuneCluster:\n    Type: AWS::Neptune::DBCluster\n    Properties:\n      DBClusterIdentifier: !Sub ${DBClusterIdentifier}\n      StorageEncrypted: true  # Enable encryption at rest for data protection\n```",
+      "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n  cluster_identifier = \"<cluster-id>\"\n  storage_encrypted  = true  # Enable encryption at rest for data protection\n}\n```",
+      "Other": ""
     },
     "Recommendation": {
-      "Text": "Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-1"
+      "Text": "Provision all new Neptune DB clusters with **encryption at rest** and prefer **Customer-Managed Keys (CMK)** for key ownership and auditability.\n\nEnforce **least privilege** on KMS keys, implement key lifecycle practices (rotation, revocation) and ensure backups/snapshots remain encrypted to prevent exposure.",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_storage_encrypted"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/neptune/neptune_cluster_uses_public_subnet/neptune_cluster_uses_public_subnet.metadata.json

@@ -1,30 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_uses_public_subnet",
-  "CheckTitle": "Ensure Neptune Cluster is not using a public subnet",
-  "CheckType": [],
+  "CheckTitle": "Neptune cluster is not using public subnets",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "TTPs/Initial Access/Unauthorized Access"
+  ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:<region>:<account>:cluster:<resource_name>",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRdsDbCluster",
-  "Description": "Ensure Neptune Cluster is not using a public subnet",
-  "Risk": "There is a risk of exposing sensitive data if Neptune Cluster uses a public subnet.",
-  "RelatedUrl": "https://docs.aws.amazon.com/neptune/latest/userguide/get-started-vpc.html",
+  "Description": "Neptune cluster is associated with one or more **public subnets**.",
+  "Risk": "A Neptune cluster in a **public subnet** increases exposure across the CIA triad:\n\n- **Confidentiality**: Direct access enables credential attacks and data exfiltration\n- **Integrity**: Attackers may modify or inject graph data\n- **Availability**: Public reachability allows DDoS or remote exploitation, causing downtime",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/neptune/latest/userguide/get-started-vpc.html",
+    "https://docs.aws.amazon.com/neptune/latest/userguide/feature-overview-endpoints.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```yaml\nResources:\n  NeptuneSubnetGroup:\n    Type: AWS::Neptune::DBSubnetGroup\n    Properties:\n      DBSubnetGroupDescription: \"Private subnets for Neptune\"\n      SubnetIds:  # Use only private subnet IDs to prevent public access\n        - <PRIVATE_SUBNET_ID_1>\n        - <PRIVATE_SUBNET_ID_2>\n\n  NeptuneDBCluster:\n    Type: AWS::Neptune::DBCluster\n    Properties:\n      DBSubnetGroupName: !Ref NeptuneSubnetGroup  # Associate cluster with private subnet group\n```",
+      "Terraform": "```hcl\nresource \"aws_neptune_subnet_group\" \"neptune\" {\n  name       = \"neptune-private-subnets\"\n  subnet_ids = [\"<PRIVATE_SUBNET_ID_1>\", \"<PRIVATE_SUBNET_ID_2>\"]  # Use only private subnet IDs to prevent public access\n}\n\nresource \"aws_neptune_cluster\" \"example_cluster\" {\n  neptune_subnet_group_name = aws_neptune_subnet_group.neptune.name  # Associate cluster with private subnet group\n}\n```",
+      "Other": "1. Open the AWS Console and go to Amazon Neptune > Subnet groups\n2. Click Create DB Subnet Group\n3. Enter a name and description, select the VPC, and add only private subnet IDs (at least two)\n4. Click Create\n5. Go to Amazon Neptune > DB clusters > Select the cluster > Actions > Modify\n6. Set DB subnet group to the newly created subnet group and save (Apply immediately if required)\n7. Verify the cluster subnet group now lists only private subnets"
     },
     "Recommendation": {
-      "Text": "To ensure your Neptune cluster is not using a public subnet, follow the recommended remediation steps based on your preferred method.",
-      "Url": "https://docs.aws.amazon.com/neptune/latest/userguide/get-started-vpc.html"
+      "Text": "Place Neptune clusters in **private subnets** and remove public routability to reduce attack surface.\n\n- Apply **least privilege** and network segmentation\n- Restrict inbound access with scoped network controls and minimal trusted paths\n- Enforce logging, monitoring, and private connectivity for administrative and application access",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_uses_public_subnet"
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],

ui/Dockerfile

@@ -57,7 +57,6 @@ WORKDIR /app
 # Set up environment for production
 ENV NODE_ENV=production
 ENV NEXT_TELEMETRY_DISABLED=1
-ENV NEXT_CACHE_DIR=/app/.next/cache
 
 RUN addgroup --system --gid 1001 nodejs &&\
 adduser --system --uid 1001 nextjs
@@ -66,10 +65,6 @@ COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
 COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
 COPY --from=builder --chown=nextjs:nodejs /app/public ./public
 
-# Ensure Next.js cache directory exists and is writable
-RUN mkdir -p /app/.next/cache && \
-    chown -R nextjs:nodejs /app/.next
-
 USER nextjs
 
 EXPOSE 3000