Files
prowler/tests/lib/check/fixtures/custom_checks_metadata_example.yaml
2025-03-11 16:15:58 +01:00

85 lines
5.6 KiB
YAML

CustomChecksMetadata:
aws:
Checks:
s3_bucket_level_public_access_block:
Severity: high
CheckTitle: S3 Bucket Level Public Access Block
Description: This check ensures that the S3 bucket level public access block is enabled.
Risk: This check is important because it ensures that the S3 bucket level public access block is enabled.
RelatedUrl: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
Remediation:
Code:
CLI: aws s3api put-public-access-block --bucket <bucket-name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
NativeIaC: https://aws.amazon.com/es/s3/features/block-public-access/
Other: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
Terraform: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block
Recommendation:
Text: Enable the S3 bucket level public access block.
Url: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
s3_bucket_no_mfa_delete:
Severity: high
CheckTitle: S3 Bucket No MFA Delete
Description: This check ensures that the S3 bucket does not allow delete operations without MFA.
Risk: This check is important because it ensures that the S3 bucket does not allow delete operations without MFA.
RelatedUrl: https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
Remediation:
Code:
CLI: aws s3api put-bucket-versioning --bucket <bucket-name> --versioning-configuration Status=Enabled
NativeIaC: https://aws.amazon.com/es/s3/features/versioning/
Other: https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
Terraform: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning
Recommendation:
Text: Enable versioning on the S3 bucket.
Url: https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
azure:
Checks:
storage_infrastructure_encryption_is_enabled:
Severity: medium
CheckTitle: Storage Infrastructure Encryption Is Enabled
Description: This check ensures that storage infrastructure encryption is enabled.
Risk: This check is important because it ensures that storage infrastructure encryption is enabled.
RelatedUrl: https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
Remediation:
Code:
CLI: az storage account update --name <storage-account-name> --resource-group <resource-group-name> --set properties.encryption.services.blob.enabled=true properties.encryption.services.file.enabled=true properties.encryption.services.queue.enabled=true properties.encryption.services.table.enabled=true
NativeIaC: https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts
Other: https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
Terraform: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account
Recommendation:
Text: Enable storage infrastructure encryption.
Url: https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
gcp:
Checks:
compute_instance_public_ip:
Severity: critical
CheckTitle: Compute Instance Public IP
Description: This check ensures that the compute instance does not have a public IP.
Risk: This check is important because it ensures that the compute instance does not have a public IP.
RelatedUrl: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address
Remediation:
Code:
CLI: gcloud compute instances describe INSTANCE_NAME --zone=ZONE
NativeIaC: https://cloud.google.com/compute/docs/reference/rest/v1/instances
Other: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address
Terraform: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance
Recommendation:
Text: Remove the public IP from the compute instance.
Url: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address
kubernetes:
Checks:
apiserver_anonymous_requests:
Severity: low
CheckTitle: APIServer Anonymous Requests
Description: This check ensures that anonymous requests to the APIServer are disabled.
Risk: This check is important because it ensures that anonymous requests to the APIServer are disabled.
RelatedUrl: https://kubernetes.io/docs/reference/access-authn-authz/authentication/
Remediation:
Code:
CLI: --anonymous-auth=false
NativeIaC: https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-anonymous-auth-argument-is-set-to-false-1#kubernetes
Other: https://kubernetes.io/docs/reference/access-authn-authz/authentication/
Terraform: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding
Recommendation:
Text: Disable anonymous requests to the APIServer.
Url: https://kubernetes.io/docs/reference/access-authn-authz/authentication/