diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index b202455fa0..c22bb739e7 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -16,6 +16,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - `compute_instance_group_load_balancer_attached` check for GCP provider [(#9695)](https://github.com/prowler-cloud/prowler/pull/9695) - `compute_instance_single_network_interface` check for GCP provider [(#9702)](https://github.com/prowler-cloud/prowler/pull/9702) - `compute_image_not_publicly_shared` check for GCP provider [(#9718)](https://github.com/prowler-cloud/prowler/pull/9718) +- Improve prowler-compliance skill with complete framework attribute structures and templates [(#9772)](https://github.com/prowler-cloud/prowler/pull/9772) ### Changed - Update AWS Step Functions service metadata to new format [(#9432)](https://github.com/prowler-cloud/prowler/pull/9432) diff --git a/skills/prowler-compliance/SKILL.md b/skills/prowler-compliance/SKILL.md index 8b82617d6e..31088c4f74 100644 --- a/skills/prowler-compliance/SKILL.md +++ b/skills/prowler-compliance/SKILL.md @@ -2,11 +2,11 @@ name: prowler-compliance description: > Creates and manages Prowler compliance frameworks. - Trigger: When working with compliance frameworks (CIS, NIST, PCI-DSS, SOC2, GDPR). + Trigger: When working with compliance frameworks (CIS, NIST, PCI-DSS, SOC2, GDPR, ISO27001, ENS, MITRE ATT&CK). license: Apache-2.0 metadata: author: prowler-cloud - version: "1.0" + version: "1.1" allowed-tools: Read, Edit, Write, Glob, Grep, Bash, WebFetch, WebSearch, Task --- @@ -16,98 +16,472 @@ Use this skill when: - Creating a new compliance framework for any provider - Adding requirements to existing frameworks - Mapping checks to compliance controls +- Understanding compliance framework structures and attributes -## Compliance Framework Structure +## Compliance Framework Location -Frameworks are JSON files in: `prowler/compliance/{provider}/{framework}.json` +Frameworks are JSON files located in: `prowler/compliance/{provider}/{framework_name}_{provider}.json` + +**Supported Providers:** +- `aws` - Amazon Web Services +- `azure` - Microsoft Azure +- `gcp` - Google Cloud Platform +- `kubernetes` - Kubernetes +- `github` - GitHub +- `m365` - Microsoft 365 +- `alibabacloud` - Alibaba Cloud +- `oraclecloud` - Oracle Cloud +- `oci` - Oracle Cloud Infrastructure +- `nhn` - NHN Cloud +- `mongodbatlas` - MongoDB Atlas +- `iac` - Infrastructure as Code +- `llm` - Large Language Models + +## Base Framework Structure + +All compliance frameworks share this base structure: ```json { - "Framework": "CIS", - "Name": "CIS Amazon Web Services Foundations Benchmark v2.0.0", - "Version": "2.0", - "Provider": "AWS", - "Description": "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance...", + "Framework": "FRAMEWORK_NAME", + "Name": "Full Framework Name with Version", + "Version": "X.X", + "Provider": "PROVIDER", + "Description": "Framework description...", "Requirements": [ { - "Id": "1.1", - "Name": "Requirement name", - "Description": "Detailed description of the requirement", - "Attributes": [ - { - "Section": "1. Identity and Access Management", - "Profile": "Level 1", - "AssessmentStatus": "Automated", - "Description": "Attribute description" - } - ], + "Id": "requirement_id", + "Description": "Requirement description", + "Name": "Optional requirement name", + "Attributes": [...], "Checks": ["check_name_1", "check_name_2"] } ] } ``` -## Supported Frameworks +## Framework-Specific Attribute Structures + +Each framework type has its own attribute model. Below are the exact structures used by Prowler: + +### CIS (Center for Internet Security) + +**Framework ID format:** `cis_{version}_{provider}` (e.g., `cis_5.0_aws`) + +```json +{ + "Id": "1.1", + "Description": "Maintain current contact details", + "Checks": ["account_maintain_current_contact_details"], + "Attributes": [ + { + "Section": "1 Identity and Access Management", + "SubSection": "Optional subsection", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Detailed attribute description", + "RationaleStatement": "Why this control matters", + "ImpactStatement": "Impact of implementing this control", + "RemediationProcedure": "Steps to fix the issue", + "AuditProcedure": "Steps to verify compliance", + "AdditionalInformation": "Extra notes", + "DefaultValue": "Default configuration value", + "References": "https://docs.example.com/reference" + } + ] +} +``` + +**Profile values:** `Level 1`, `Level 2`, `E3 Level 1`, `E3 Level 2`, `E5 Level 1`, `E5 Level 2` +**AssessmentStatus values:** `Automated`, `Manual` + +--- + +### ISO 27001 + +**Framework ID format:** `iso27001_{year}_{provider}` (e.g., `iso27001_2022_aws`) + +```json +{ + "Id": "A.5.1", + "Description": "Policies for information security should be defined...", + "Name": "Policies for information security", + "Checks": ["securityhub_enabled"], + "Attributes": [ + { + "Category": "A.5 Organizational controls", + "Objetive_ID": "A.5.1", + "Objetive_Name": "Policies for information security", + "Check_Summary": "Summary of what is being checked" + } + ] +} +``` + +**Note:** `Objetive_ID` and `Objetive_Name` use this exact spelling (not "Objective"). + +--- + +### ENS (Esquema Nacional de Seguridad - Spain) + +**Framework ID format:** `ens_rd2022_{provider}` (e.g., `ens_rd2022_aws`) + +```json +{ + "Id": "op.acc.1.aws.iam.2", + "Description": "Proveedor de identidad centralizado", + "Checks": ["iam_check_saml_providers_sts"], + "Attributes": [ + { + "IdGrupoControl": "op.acc.1", + "Marco": "operacional", + "Categoria": "control de acceso", + "DescripcionControl": "Detailed control description in Spanish", + "Nivel": "alto", + "Tipo": "requisito", + "Dimensiones": ["trazabilidad", "autenticidad"], + "ModoEjecucion": "automatico", + "Dependencias": [] + } + ] +} +``` + +**Nivel values:** `opcional`, `bajo`, `medio`, `alto` +**Tipo values:** `refuerzo`, `requisito`, `recomendacion`, `medida` +**Dimensiones values:** `confidencialidad`, `integridad`, `trazabilidad`, `autenticidad`, `disponibilidad` + +--- + +### MITRE ATT&CK + +**Framework ID format:** `mitre_attack_{provider}` (e.g., `mitre_attack_aws`) + +MITRE uses a different requirement structure: + +```json +{ + "Name": "Exploit Public-Facing Application", + "Id": "T1190", + "Tactics": ["Initial Access"], + "SubTechniques": [], + "Platforms": ["Containers", "IaaS", "Linux", "Network", "Windows", "macOS"], + "Description": "Adversaries may attempt to exploit a weakness...", + "TechniqueURL": "https://attack.mitre.org/techniques/T1190/", + "Checks": ["guardduty_is_enabled", "inspector2_is_enabled"], + "Attributes": [ + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Minimal", + "Comment": "Explanation of how this service helps..." + } + ] +} +``` + +**For Azure:** Use `AzureService` instead of `AWSService` +**For GCP:** Use `GCPService` instead of `AWSService` +**Category values:** `Detect`, `Protect`, `Respond` +**Value values:** `Minimal`, `Partial`, `Significant` + +--- + +### NIST 800-53 + +**Framework ID format:** `nist_800_53_revision_{version}_{provider}` (e.g., `nist_800_53_revision_5_aws`) + +```json +{ + "Id": "ac_2_1", + "Name": "AC-2(1) Automated System Account Management", + "Description": "Support the management of system accounts...", + "Checks": ["iam_password_policy_minimum_length_14"], + "Attributes": [ + { + "ItemId": "ac_2_1", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "SubGroup": "AC-2(3) Disable Accounts", + "Service": "iam" + } + ] +} +``` + +--- + +### Generic Compliance (Fallback) + +For frameworks without specific attribute models: + +```json +{ + "Id": "requirement_id", + "Description": "Requirement description", + "Name": "Optional name", + "Checks": ["check_name"], + "Attributes": [ + { + "ItemId": "item_id", + "Section": "Section name", + "SubSection": "Subsection name", + "SubGroup": "Subgroup name", + "Service": "service_name", + "Type": "type" + } + ] +} +``` + +--- + +### AWS Well-Architected Framework + +**Framework ID format:** `aws_well_architected_framework_{pillar}_pillar_aws` + +```json +{ + "Id": "SEC01-BP01", + "Description": "Establish common guardrails...", + "Name": "Establish common guardrails", + "Checks": ["account_part_of_organizations"], + "Attributes": [ + { + "Name": "Establish common guardrails", + "WellArchitectedQuestionId": "securely-operate", + "WellArchitectedPracticeId": "sec_securely_operate_multi_accounts", + "Section": "Security", + "SubSection": "Security foundations", + "LevelOfRisk": "High", + "AssessmentMethod": "Automated", + "Description": "Detailed description", + "ImplementationGuidanceUrl": "https://docs.aws.amazon.com/..." + } + ] +} +``` + +--- + +### KISA ISMS-P (Korea) -**Industry standards:** -- CIS (Center for Internet Security) -- NIST 800-53, NIST CSF -- CISA +**Framework ID format:** `kisa_isms_p_{year}_{provider}` (e.g., `kisa_isms_p_2023_aws`) -**Regulatory compliance:** -- PCI-DSS -- HIPAA -- GDPR -- FedRAMP -- SOC2 +```json +{ + "Id": "1.1.1", + "Description": "Requirement description", + "Name": "Requirement name", + "Checks": ["check_name"], + "Attributes": [ + { + "Domain": "1. Management System", + "Subdomain": "1.1 Management System Establishment", + "Section": "1.1.1 Section Name", + "AuditChecklist": ["Checklist item 1", "Checklist item 2"], + "RelatedRegulations": ["Regulation 1"], + "AuditEvidence": ["Evidence type 1"], + "NonComplianceCases": ["Non-compliance example"] + } + ] +} +``` -**Cloud-specific:** -- AWS Well-Architected Framework (Security Pillar) -- AWS Foundational Technical Review (FTR) -- Azure Security Benchmark -- GCP Security Best Practices +--- -## Framework Requirement Mapping +### C5 (Germany Cloud Computing Compliance Criteria Catalogue) -Each requirement maps to one or more checks: +**Framework ID format:** `c5_{provider}` (e.g., `c5_aws`) ```json { - "Id": "2.1.1", - "Name": "Ensure MFA is enabled for all IAM users", - "Description": "Multi-Factor Authentication adds an extra layer of protection...", - "Checks": [ - "iam_user_mfa_enabled", - "iam_root_mfa_enabled", - "iam_user_hardware_mfa_enabled" + "Id": "BCM-01", + "Description": "Requirement description", + "Name": "Requirement name", + "Checks": ["check_name"], + "Attributes": [ + { + "Section": "BCM Business Continuity Management", + "SubSection": "BCM-01", + "Type": "Basic Criteria", + "AboutCriteria": "Description of criteria", + "ComplementaryCriteria": "Additional criteria" + } ] } ``` +--- + +### CCC (Cloud Computing Compliance) + +**Framework ID format:** `ccc_{provider}` (e.g., `ccc_aws`) + +```json +{ + "Id": "CCC.C01", + "Description": "Requirement description", + "Name": "Requirement name", + "Checks": ["check_name"], + "Attributes": [ + { + "FamilyName": "Cryptography & Key Management", + "FamilyDescription": "Family description", + "Section": "CCC.C01", + "SubSection": "Key Management", + "SubSectionObjective": "Objective description", + "Applicability": ["IaaS", "PaaS", "SaaS"], + "Recommendation": "Recommended action", + "SectionThreatMappings": [{"threat": "T1190"}], + "SectionGuidelineMappings": [{"guideline": "NIST"}] + } + ] +} +``` + +--- + +### Prowler ThreatScore + +**Framework ID format:** `prowler_threatscore_{provider}` (e.g., `prowler_threatscore_aws`) + +Prowler ThreatScore is a custom security scoring framework developed by Prowler that evaluates AWS account security based on **four main pillars**: + +| Pillar | Description | +|--------|-------------| +| **1. IAM** | Identity and Access Management controls (authentication, authorization, credentials) | +| **2. Attack Surface** | Network exposure, public resources, security group rules | +| **3. Logging and Monitoring** | Audit logging, threat detection, forensic readiness | +| **4. Encryption** | Data at rest and in transit encryption | + +**Scoring System:** +- **LevelOfRisk** (1-5): Severity of the security issue + - `5` = Critical (e.g., root MFA, public S3 buckets) + - `4` = High (e.g., user MFA, public EC2) + - `3` = Medium (e.g., password policies, encryption) + - `2` = Low + - `1` = Informational +- **Weight**: Impact multiplier for score calculation + - `1000` = Critical controls (root security, public exposure) + - `100` = High-impact controls (user authentication, monitoring) + - `10` = Standard controls (password policies, encryption) + - `1` = Low-impact controls (best practices) + +```json +{ + "Id": "1.1.1", + "Description": "Ensure MFA is enabled for the 'root' user account", + "Checks": ["iam_root_mfa_enabled"], + "Attributes": [ + { + "Title": "MFA enabled for 'root'", + "Section": "1. IAM", + "SubSection": "1.1 Authentication", + "AttributeDescription": "The root user account holds the highest level of privileges within an AWS account. Enabling MFA enhances security by adding an additional layer of protection.", + "AdditionalInformation": "Enabling MFA enhances console security by requiring the authenticating user to both possess a time-sensitive key-generating device and have knowledge of their credentials.", + "LevelOfRisk": 5, + "Weight": 1000 + } + ] +} +``` + +**Available for providers:** AWS, Kubernetes, M365 + +--- + +## Available Compliance Frameworks + +### AWS (41 frameworks) +| Framework | File Name | +|-----------|-----------| +| CIS 1.4, 1.5, 2.0, 3.0, 4.0, 5.0 | `cis_{version}_aws.json` | +| ISO 27001:2013, 2022 | `iso27001_{year}_aws.json` | +| NIST 800-53 Rev 4, 5 | `nist_800_53_revision_{version}_aws.json` | +| NIST 800-171 Rev 2 | `nist_800_171_revision_2_aws.json` | +| NIST CSF 1.1, 2.0 | `nist_csf_{version}_aws.json` | +| PCI DSS 3.2.1, 4.0 | `pci_{version}_aws.json` | +| HIPAA | `hipaa_aws.json` | +| GDPR | `gdpr_aws.json` | +| SOC 2 | `soc2_aws.json` | +| FedRAMP Low/Moderate | `fedramp_{level}_revision_4_aws.json` | +| ENS RD2022 | `ens_rd2022_aws.json` | +| MITRE ATT&CK | `mitre_attack_aws.json` | +| C5 Germany | `c5_aws.json` | +| CISA | `cisa_aws.json` | +| FFIEC | `ffiec_aws.json` | +| RBI Cyber Security | `rbi_cyber_security_framework_aws.json` | +| AWS Well-Architected | `aws_well_architected_framework_{pillar}_pillar_aws.json` | +| AWS FTR | `aws_foundational_technical_review_aws.json` | +| GxP 21 CFR Part 11, EU Annex 11 | `gxp_{standard}_aws.json` | +| KISA ISMS-P 2023 | `kisa_isms_p_2023_aws.json` | +| NIS2 | `nis2_aws.json` | + +### Azure (15+ frameworks) +| Framework | File Name | +|-----------|-----------| +| CIS 2.0, 2.1, 3.0, 4.0 | `cis_{version}_azure.json` | +| ISO 27001:2022 | `iso27001_2022_azure.json` | +| ENS RD2022 | `ens_rd2022_azure.json` | +| MITRE ATT&CK | `mitre_attack_azure.json` | +| PCI DSS 4.0 | `pci_4.0_azure.json` | +| NIST CSF 2.0 | `nist_csf_2.0_azure.json` | + +### GCP (15+ frameworks) +| Framework | File Name | +|-----------|-----------| +| CIS 2.0, 3.0, 4.0 | `cis_{version}_gcp.json` | +| ISO 27001:2022 | `iso27001_2022_gcp.json` | +| HIPAA | `hipaa_gcp.json` | +| MITRE ATT&CK | `mitre_attack_gcp.json` | +| PCI DSS 4.0 | `pci_4.0_gcp.json` | +| NIST CSF 2.0 | `nist_csf_2.0_gcp.json` | + +### Kubernetes (6 frameworks) +| Framework | File Name | +|-----------|-----------| +| CIS 1.8, 1.10, 1.11 | `cis_{version}_kubernetes.json` | +| ISO 27001:2022 | `iso27001_2022_kubernetes.json` | +| PCI DSS 4.0 | `pci_4.0_kubernetes.json` | + +### Other Providers +- **GitHub:** `cis_1.0_github.json` +- **M365:** `cis_4.0_m365.json`, `iso27001_2022_m365.json` +- **NHN:** `iso27001_2022_nhn.json` + ## Best Practices -1. **Requirement IDs**: Follow the original framework numbering (e.g., "1.1", "2.3.4") -2. **Check Mapping**: Map to existing checks when possible, create new checks only if needed -3. **Completeness**: Include all framework requirements, even if no check exists (document as manual) -4. **Version Control**: Include framework version in the name and file +1. **Requirement IDs**: Follow the original framework numbering exactly (e.g., "1.1", "A.5.1", "T1190", "ac_2_1") +2. **Check Mapping**: Map to existing checks when possible. Use `Checks: []` for manual-only requirements +3. **Completeness**: Include all framework requirements, even those without automated checks +4. **Version Control**: Include framework version in `Name` and `Version` fields +5. **File Naming**: Use format `{framework}_{version}_{provider}.json` +6. **Validation**: Prowler validates JSON against Pydantic models at startup - invalid JSON will cause errors ## Commands ```bash # List available frameworks for a provider -poetry run python prowler-cli.py {provider} --list-compliance +prowler {provider} --list-compliance # Run scan with specific compliance framework -poetry run python prowler-cli.py {provider} --compliance {framework} +prowler aws --compliance cis_5.0_aws # Run scan with multiple frameworks -poetry run python prowler-cli.py {provider} --compliance cis_aws_benchmark_v2 pci_dss_3.2.1 +prowler aws --compliance cis_5.0_aws pci_4.0_aws -# Output compliance report -poetry run python prowler-cli.py {provider} --compliance {framework} -M csv json html +# Output compliance report in multiple formats +prowler aws --compliance cis_5.0_aws -M csv json html ``` +## Code References + +- **Compliance Models:** `prowler/lib/check/compliance_models.py` +- **Compliance Processing:** `prowler/lib/check/compliance.py` +- **Compliance Output:** `prowler/lib/outputs/compliance/` + ## Resources -- **Templates**: See [assets/](assets/) for complete CIS framework JSON template -- **Documentation**: See [references/compliance-docs.md](references/compliance-docs.md) for official Prowler Developer Guide links +- **Templates:** See [assets/](assets/) for framework JSON templates +- **Documentation:** See [references/compliance-docs.md](references/compliance-docs.md) for additional resources diff --git a/skills/prowler-compliance/assets/cis_framework.json b/skills/prowler-compliance/assets/cis_framework.json index 817c0ca6aa..c764f07506 100644 --- a/skills/prowler-compliance/assets/cis_framework.json +++ b/skills/prowler-compliance/assets/cis_framework.json @@ -3,7 +3,7 @@ "Name": "CIS Amazon Web Services Foundations Benchmark v5.0.0", "Version": "5.0", "Provider": "AWS", - "Description": "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services.", + "Description": "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.", "Requirements": [ { "Id": "1.1", @@ -17,13 +17,35 @@ "Profile": "Level 1", "AssessmentStatus": "Manual", "Description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.", - "RationaleStatement": "If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed.", + "RationaleStatement": "If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior is not corrected then AWS may suspend the account.", "ImpactStatement": "", "RemediationProcedure": "This activity can only be performed via the AWS Console. Navigate to Account Settings and update contact information.", "AuditProcedure": "This activity can only be performed via the AWS Console. Navigate to Account Settings and verify contact information is current.", "AdditionalInformation": "", - "References": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html", - "DefaultValue": "" + "DefaultValue": "", + "References": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html" + } + ] + }, + { + "Id": "1.2", + "Description": "Ensure security contact information is registered", + "Checks": [ + "account_security_contact_information_is_registered" + ], + "Attributes": [ + { + "Section": "1 Identity and Access Management", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "AWS provides customers with the option to specify the contact information for the account's security team. It is recommended that this information be provided.", + "RationaleStatement": "Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.", + "ImpactStatement": "", + "RemediationProcedure": "Navigate to AWS Console > Account > Alternate Contacts and add security contact information.", + "AuditProcedure": "Run: aws account get-alternate-contact --alternate-contact-type SECURITY", + "AdditionalInformation": "", + "DefaultValue": "By default, no security contact is registered.", + "References": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact-alternate.html" } ] }, @@ -38,37 +60,81 @@ "Section": "1 Identity and Access Management", "Profile": "Level 1", "AssessmentStatus": "Automated", - "Description": "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account.", - "RationaleStatement": "Deleting access keys associated with the 'root' user account limits vectors by which the account can be compromised.", + "Description": "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be deleted.", + "RationaleStatement": "Deleting access keys associated with the 'root' user account limits vectors by which the account can be compromised. Additionally, deleting the root access keys encourages the creation and use of role based accounts that are least privileged.", "ImpactStatement": "", "RemediationProcedure": "Navigate to IAM console, select root user, Security credentials tab, and delete any access keys.", "AuditProcedure": "Run: aws iam get-account-summary | grep 'AccountAccessKeysPresent'", "AdditionalInformation": "IAM User account root for us-gov cloud regions is not enabled by default.", - "References": "https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html", - "DefaultValue": "" + "DefaultValue": "By default, no root access keys exist.", + "References": "https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html" } ] }, { - "Id": "1.11", - "Description": "Ensure credentials unused for 45 days or more are disabled", + "Id": "1.4", + "Description": "Ensure MFA is enabled for the 'root' user account", "Checks": [ - "iam_user_accesskey_unused", - "iam_user_console_access_unused" + "iam_root_mfa_enabled" ], "Attributes": [ { "Section": "1 Identity and Access Management", "Profile": "Level 1", "AssessmentStatus": "Automated", - "Description": "AWS IAM users can access AWS resources using different types of credentials. It is recommended that all credentials unused for 45 days or more be deactivated or removed.", - "RationaleStatement": "Disabling or removing unnecessary credentials reduces the window of opportunity for compromised accounts.", - "ImpactStatement": "Users with deactivated credentials will lose access until re-enabled.", - "RemediationProcedure": "Use IAM console or CLI to deactivate unused access keys and remove unused passwords.", - "AuditProcedure": "Generate credential report and review password_last_used and access_key_last_used fields.", + "Description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.", + "RationaleStatement": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.", + "ImpactStatement": "", + "RemediationProcedure": "Using IAM console, navigate to Dashboard and choose Activate MFA on your root account.", + "AuditProcedure": "Run: aws iam get-account-summary | grep 'AccountMFAEnabled'. Ensure the value is 1.", + "AdditionalInformation": "", + "DefaultValue": "MFA is not enabled by default.", + "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa" + } + ] + }, + { + "Id": "1.5", + "Description": "Ensure hardware MFA is enabled for the 'root' user account", + "Checks": [ + "iam_root_hardware_mfa_enabled" + ], + "Attributes": [ + { + "Section": "1 Identity and Access Management", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root user account be protected with a hardware MFA.", + "RationaleStatement": "A hardware MFA has a smaller attack surface than a virtual MFA. For example, a hardware MFA does not suffer from the attack surface introduced by the mobile smartphone on which a virtual MFA resides.", + "ImpactStatement": "Using a hardware MFA device instead of a virtual MFA may result in additional hardware costs.", + "RemediationProcedure": "Using IAM console, navigate to Dashboard, select root user, and configure hardware MFA device.", + "AuditProcedure": "Run: aws iam list-virtual-mfa-devices and verify the root account is not using a virtual MFA.", + "AdditionalInformation": "For recommendations on protecting hardware MFA devices, refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html", + "DefaultValue": "MFA is not enabled by default.", + "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html" + } + ] + }, + { + "Id": "2.1.1", + "Description": "Ensure S3 Bucket Policy is set to deny HTTP requests", + "Checks": [ + "s3_bucket_secure_transport_policy" + ], + "Attributes": [ + { + "Section": "2 Storage", + "SubSection": "2.1 Simple Storage Service (S3)", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.", + "RationaleStatement": "By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.", + "ImpactStatement": "Enabling this setting will result in rejection of requests that do not use HTTPS for S3 bucket operations.", + "RemediationProcedure": "Add a bucket policy with condition aws:SecureTransport: false that denies all s3 actions.", + "AuditProcedure": "Review bucket policies for Deny statements with aws:SecureTransport: false condition.", "AdditionalInformation": "", - "References": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html", - "DefaultValue": "" + "DefaultValue": "By default, S3 buckets allow both HTTP and HTTPS requests.", + "References": "https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/" } ] } diff --git a/skills/prowler-compliance/assets/ens_framework.json b/skills/prowler-compliance/assets/ens_framework.json new file mode 100644 index 0000000000..c357c8c78d --- /dev/null +++ b/skills/prowler-compliance/assets/ens_framework.json @@ -0,0 +1,128 @@ +{ + "Framework": "ENS", + "Name": "ENS RD 311/2022 - Categoria Alta", + "Version": "RD2022", + "Provider": "AWS", + "Description": "The accreditation scheme of the ENS (Esquema Nacional de Seguridad - National Security Scheme of Spain) has been developed by the Ministry of Finance and Public Administrations and the CCN (National Cryptological Center). This includes the basic principles and minimum requirements necessary for the adequate protection of information.", + "Requirements": [ + { + "Id": "op.acc.1.aws.iam.2", + "Description": "Proveedor de identidad centralizado", + "Attributes": [ + { + "IdGrupoControl": "op.acc.1", + "Marco": "operacional", + "Categoria": "control de acceso", + "DescripcionControl": "Es muy recomendable la utilizacion de un proveedor de identidades que permita administrar las identidades en un lugar centralizado, en vez de utilizar IAM para ello.", + "Nivel": "alto", + "Tipo": "requisito", + "Dimensiones": [ + "trazabilidad", + "autenticidad" + ], + "ModoEjecucion": "automatico", + "Dependencias": [] + } + ], + "Checks": [ + "iam_check_saml_providers_sts" + ] + }, + { + "Id": "op.acc.2.aws.iam.4", + "Description": "Requisitos de acceso", + "Attributes": [ + { + "IdGrupoControl": "op.acc.2", + "Marco": "operacional", + "Categoria": "control de acceso", + "DescripcionControl": "Se debera delegar en cuentas administradoras la administracion de la organizacion, dejando la cuenta maestra sin uso y con las medidas de seguridad pertinentes.", + "Nivel": "alto", + "Tipo": "requisito", + "Dimensiones": [ + "confidencialidad", + "integridad", + "trazabilidad", + "autenticidad" + ], + "ModoEjecucion": "automatico", + "Dependencias": [] + } + ], + "Checks": [ + "iam_avoid_root_usage" + ] + }, + { + "Id": "op.acc.3.r1.aws.iam.1", + "Description": "Segregacion rigurosa", + "Attributes": [ + { + "IdGrupoControl": "op.acc.3.r1", + "Marco": "operacional", + "Categoria": "control de acceso", + "DescripcionControl": "En caso de ser de aplicacion, la segregacion debera tener en cuenta la separacion de las funciones de configuracion y mantenimiento y de auditoria de cualquier otra.", + "Nivel": "alto", + "Tipo": "refuerzo", + "Dimensiones": [ + "confidencialidad", + "integridad", + "trazabilidad", + "autenticidad" + ], + "ModoEjecucion": "automatico", + "Dependencias": [] + } + ], + "Checks": [ + "iam_support_role_created" + ] + }, + { + "Id": "op.exp.8.aws.cloudwatch.1", + "Description": "Registro de la actividad", + "Attributes": [ + { + "IdGrupoControl": "op.exp.8", + "Marco": "operacional", + "Categoria": "explotacion", + "DescripcionControl": "Se registraran las actividades de los usuarios en el sistema, de forma que se pueda identificar que acciones ha realizado cada usuario.", + "Nivel": "medio", + "Tipo": "requisito", + "Dimensiones": [ + "trazabilidad" + ], + "ModoEjecucion": "automatico", + "Dependencias": [] + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled" + ] + }, + { + "Id": "mp.info.3.aws.s3.1", + "Description": "Cifrado de la informacion", + "Attributes": [ + { + "IdGrupoControl": "mp.info.3", + "Marco": "medidas de proteccion", + "Categoria": "proteccion de la informacion", + "DescripcionControl": "La informacion con un nivel de clasificacion CONFIDENCIAL o superior debera ser cifrada.", + "Nivel": "bajo", + "Tipo": "medida", + "Dimensiones": [ + "confidencialidad" + ], + "ModoEjecucion": "automatico", + "Dependencias": [] + } + ], + "Checks": [ + "s3_bucket_default_encryption", + "s3_bucket_kms_encryption" + ] + } + ] +} diff --git a/skills/prowler-compliance/assets/generic_framework.json b/skills/prowler-compliance/assets/generic_framework.json new file mode 100644 index 0000000000..61a75fa445 --- /dev/null +++ b/skills/prowler-compliance/assets/generic_framework.json @@ -0,0 +1,103 @@ +{ + "Framework": "CUSTOM-FRAMEWORK", + "Name": "Custom Security Framework Example v1.0", + "Version": "1.0", + "Provider": "AWS", + "Description": "This is a template for creating custom compliance frameworks using the generic attribute model. Use this when creating frameworks that don't match existing attribute types (CIS, ISO, ENS, MITRE, etc.).", + "Requirements": [ + { + "Id": "SEC-001", + "Description": "Ensure all storage resources are encrypted at rest", + "Name": "Storage Encryption", + "Attributes": [ + { + "ItemId": "SEC-001", + "Section": "Data Protection", + "SubSection": "Encryption", + "SubGroup": "Storage", + "Service": "s3", + "Type": "Automated" + } + ], + "Checks": [ + "s3_bucket_default_encryption", + "rds_instance_storage_encrypted", + "ec2_ebs_volume_encryption" + ] + }, + { + "Id": "SEC-002", + "Description": "Ensure all network traffic is encrypted in transit", + "Name": "Network Encryption", + "Attributes": [ + { + "ItemId": "SEC-002", + "Section": "Data Protection", + "SubSection": "Encryption", + "SubGroup": "Network", + "Service": "multiple", + "Type": "Automated" + } + ], + "Checks": [ + "s3_bucket_secure_transport_policy", + "elb_ssl_listeners", + "cloudfront_distributions_https_enabled" + ] + }, + { + "Id": "IAM-001", + "Description": "Ensure MFA is enabled for all privileged accounts", + "Name": "Multi-Factor Authentication", + "Attributes": [ + { + "ItemId": "IAM-001", + "Section": "Identity and Access Management", + "SubSection": "Authentication", + "SubGroup": "MFA", + "Service": "iam", + "Type": "Automated" + } + ], + "Checks": [ + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "LOG-001", + "Description": "Ensure logging is enabled for all critical services", + "Name": "Centralized Logging", + "Attributes": [ + { + "ItemId": "LOG-001", + "Section": "Logging and Monitoring", + "SubSection": "Audit Logs", + "SubGroup": "CloudTrail", + "Service": "cloudtrail", + "Type": "Automated" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled" + ] + }, + { + "Id": "MANUAL-001", + "Description": "Ensure security policies are reviewed annually", + "Name": "Policy Review", + "Attributes": [ + { + "ItemId": "MANUAL-001", + "Section": "Governance", + "SubSection": "Policy Management", + "Service": "manual", + "Type": "Manual" + } + ], + "Checks": [] + } + ] +} diff --git a/skills/prowler-compliance/assets/iso27001_framework.json b/skills/prowler-compliance/assets/iso27001_framework.json new file mode 100644 index 0000000000..1459b5836f --- /dev/null +++ b/skills/prowler-compliance/assets/iso27001_framework.json @@ -0,0 +1,91 @@ +{ + "Framework": "ISO27001", + "Name": "ISO/IEC 27001 Information Security Management Standard 2022", + "Version": "2022", + "Provider": "AWS", + "Description": "ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. This framework maps AWS security controls to ISO 27001:2022 requirements.", + "Requirements": [ + { + "Id": "A.5.1", + "Description": "Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.", + "Name": "Policies for information security", + "Attributes": [ + { + "Category": "A.5 Organizational controls", + "Objetive_ID": "A.5.1", + "Objetive_Name": "Policies for information security", + "Check_Summary": "Verify that information security policies are defined and implemented through security monitoring services." + } + ], + "Checks": [ + "securityhub_enabled", + "wellarchitected_workload_no_high_or_medium_risks" + ] + }, + { + "Id": "A.5.2", + "Description": "Information security roles and responsibilities should be defined and allocated according to the organisation needs.", + "Name": "Roles and Responsibilities", + "Attributes": [ + { + "Category": "A.5 Organizational controls", + "Objetive_ID": "A.5.2", + "Objetive_Name": "Roles and Responsibilities", + "Check_Summary": "Verify that IAM roles and responsibilities are properly defined." + } + ], + "Checks": [] + }, + { + "Id": "A.5.3", + "Description": "Conflicting duties and conflicting areas of responsibility should be segregated.", + "Name": "Segregation of Duties", + "Attributes": [ + { + "Category": "A.5 Organizational controls", + "Objetive_ID": "A.5.3", + "Objetive_Name": "Segregation of Duties", + "Check_Summary": "Verify that duties are segregated through separate IAM roles." + } + ], + "Checks": [ + "iam_securityaudit_role_created" + ] + }, + { + "Id": "A.8.1", + "Description": "User end point devices should be protected.", + "Name": "User End Point Devices", + "Attributes": [ + { + "Category": "A.8 Technological controls", + "Objetive_ID": "A.8.1", + "Objetive_Name": "User End Point Devices", + "Check_Summary": "Verify that endpoint protection and monitoring are enabled." + } + ], + "Checks": [ + "guardduty_is_enabled", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "A.8.24", + "Description": "Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented.", + "Name": "Use of Cryptography", + "Attributes": [ + { + "Category": "A.8 Technological controls", + "Objetive_ID": "A.8.24", + "Objetive_Name": "Use of Cryptography", + "Check_Summary": "Verify that encryption is enabled for data at rest and in transit." + } + ], + "Checks": [ + "s3_bucket_default_encryption", + "rds_instance_storage_encrypted", + "ec2_ebs_volume_encryption" + ] + } + ] +} diff --git a/skills/prowler-compliance/assets/mitre_attack_framework.json b/skills/prowler-compliance/assets/mitre_attack_framework.json new file mode 100644 index 0000000000..8eefa7d2a9 --- /dev/null +++ b/skills/prowler-compliance/assets/mitre_attack_framework.json @@ -0,0 +1,142 @@ +{ + "Framework": "MITRE-ATTACK", + "Name": "MITRE ATT&CK compliance framework", + "Version": "", + "Provider": "AWS", + "Description": "MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.", + "Requirements": [ + { + "Name": "Exploit Public-Facing Application", + "Id": "T1190", + "Tactics": [ + "Initial Access" + ], + "SubTechniques": [], + "Platforms": [ + "Containers", + "IaaS", + "Linux", + "Network", + "Windows", + "macOS" + ], + "Description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1190/", + "Checks": [ + "guardduty_is_enabled", + "inspector2_is_enabled", + "securityhub_enabled", + "elbv2_waf_acl_attached", + "awslambda_function_not_publicly_accessible", + "ec2_instance_public_ip" + ], + "Attributes": [ + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Minimal", + "Comment": "GuardDuty can detect when vulnerable publicly facing resources are leveraged to capture data not intended to be viewable." + }, + { + "AWSService": "AWS Web Application Firewall", + "Category": "Protect", + "Value": "Significant", + "Comment": "AWS WAF protects public-facing applications against vulnerabilities including OWASP Top 10 via managed rule sets." + }, + { + "AWSService": "Amazon Inspector", + "Category": "Protect", + "Value": "Partial", + "Comment": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints." + } + ] + }, + { + "Name": "Valid Accounts", + "Id": "T1078", + "Tactics": [ + "Defense Evasion", + "Persistence", + "Privilege Escalation", + "Initial Access" + ], + "SubTechniques": [ + "T1078.001", + "T1078.002", + "T1078.003", + "T1078.004" + ], + "Platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Network", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "Description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1078/", + "Checks": [ + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_accesskey_unused", + "cloudtrail_multi_region_enabled" + ], + "Attributes": [ + { + "AWSService": "AWS IAM", + "Category": "Protect", + "Value": "Significant", + "Comment": "IAM MFA and access key rotation help prevent unauthorized access with valid credentials." + }, + { + "AWSService": "AWS CloudTrail", + "Category": "Detect", + "Value": "Significant", + "Comment": "CloudTrail logs all API calls, enabling detection of unauthorized account usage." + } + ] + }, + { + "Name": "Data from Cloud Storage", + "Id": "T1530", + "Tactics": [ + "Collection" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS", + "SaaS" + ], + "Description": "Adversaries may access data from improperly secured cloud storage. Many cloud service providers offer solutions for online data object storage.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1530/", + "Checks": [ + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_bucket_acl_prohibited", + "s3_bucket_default_encryption", + "macie_is_enabled" + ], + "Attributes": [ + { + "AWSService": "Amazon S3", + "Category": "Protect", + "Value": "Significant", + "Comment": "S3 bucket policies and ACLs can prevent public access to sensitive data." + }, + { + "AWSService": "Amazon Macie", + "Category": "Detect", + "Value": "Significant", + "Comment": "Macie can detect and alert on sensitive data exposure in S3 buckets." + } + ] + } + ] +} diff --git a/skills/prowler-compliance/assets/prowler_threatscore_framework.json b/skills/prowler-compliance/assets/prowler_threatscore_framework.json new file mode 100644 index 0000000000..1a9aa4ac6f --- /dev/null +++ b/skills/prowler-compliance/assets/prowler_threatscore_framework.json @@ -0,0 +1,189 @@ +{ + "Framework": "ProwlerThreatScore", + "Name": "Prowler ThreatScore Compliance Framework for AWS", + "Version": "1.0", + "Provider": "AWS", + "Description": "Prowler ThreatScore Compliance Framework for AWS ensures that the AWS account is compliant taking into account four main pillars: Identity and Access Management, Attack Surface, Logging and Monitoring, and Encryption. Each check has a LevelOfRisk (1-5) and Weight that contribute to calculating the overall threat score.", + "Requirements": [ + { + "Id": "1.1.1", + "Description": "Ensure MFA is enabled for the 'root' user account", + "Checks": [ + "iam_root_mfa_enabled" + ], + "Attributes": [ + { + "Title": "MFA enabled for 'root'", + "Section": "1. IAM", + "SubSection": "1.1 Authentication", + "AttributeDescription": "The root user account holds the highest level of privileges within an AWS account. Enabling Multi-Factor Authentication (MFA) enhances security by adding an additional layer of protection beyond just a username and password.", + "AdditionalInformation": "Enabling MFA enhances console security by requiring the authenticating user to both possess a time-sensitive key-generating device and have knowledge of their credentials.", + "LevelOfRisk": 5, + "Weight": 1000 + } + ] + }, + { + "Id": "1.1.2", + "Description": "Ensure hardware MFA is enabled for the 'root' user account", + "Checks": [ + "iam_root_hardware_mfa_enabled" + ], + "Attributes": [ + { + "Title": "Hardware MFA enabled for 'root'", + "Section": "1. IAM", + "SubSection": "1.1 Authentication", + "AttributeDescription": "The root user account in AWS has the highest level of privileges. A hardware MFA has a smaller attack surface compared to a virtual MFA.", + "AdditionalInformation": "Unlike a virtual MFA, which relies on a mobile device that may be vulnerable to malware, a hardware MFA operates independently, reducing exposure to potential security threats.", + "LevelOfRisk": 5, + "Weight": 1000 + } + ] + }, + { + "Id": "1.1.13", + "Description": "Ensure no root account access key exists", + "Checks": [ + "iam_no_root_access_key" + ], + "Attributes": [ + { + "Title": "No root access key", + "Section": "1. IAM", + "SubSection": "1.1 Authentication", + "AttributeDescription": "The root account in AWS has unrestricted administrative privileges. It is recommended that no access keys be associated with the root account.", + "AdditionalInformation": "Eliminating root access keys reduces the risk of unauthorized access and enforces the use of role-based IAM accounts with least privilege.", + "LevelOfRisk": 5, + "Weight": 1000 + } + ] + }, + { + "Id": "2.1.1", + "Description": "Ensure EC2 instances do not have public IP addresses", + "Checks": [ + "ec2_instance_public_ip" + ], + "Attributes": [ + { + "Title": "EC2 without public IP", + "Section": "2. Attack Surface", + "SubSection": "2.1 Network Exposure", + "AttributeDescription": "EC2 instances with public IP addresses are directly accessible from the internet, increasing the attack surface.", + "AdditionalInformation": "Use private subnets and NAT gateways or VPC endpoints for internet access when needed.", + "LevelOfRisk": 4, + "Weight": 100 + } + ] + }, + { + "Id": "2.2.1", + "Description": "Ensure S3 buckets are not publicly accessible", + "Checks": [ + "s3_bucket_public_access" + ], + "Attributes": [ + { + "Title": "S3 bucket not public", + "Section": "2. Attack Surface", + "SubSection": "2.2 Storage Exposure", + "AttributeDescription": "Publicly accessible S3 buckets can lead to data breaches and unauthorized access to sensitive information.", + "AdditionalInformation": "Enable S3 Block Public Access settings at the account and bucket level.", + "LevelOfRisk": 5, + "Weight": 1000 + } + ] + }, + { + "Id": "3.1.1", + "Description": "Ensure CloudTrail is enabled in all regions", + "Checks": [ + "cloudtrail_multi_region_enabled" + ], + "Attributes": [ + { + "Title": "CloudTrail multi-region enabled", + "Section": "3. Logging and Monitoring", + "SubSection": "3.1 Audit Logging", + "AttributeDescription": "CloudTrail provides a record of API calls made in your AWS account. Multi-region trails ensure all activity is captured.", + "AdditionalInformation": "Without comprehensive logging, security incidents may go undetected and forensic analysis becomes impossible.", + "LevelOfRisk": 5, + "Weight": 1000 + } + ] + }, + { + "Id": "3.2.1", + "Description": "Ensure GuardDuty is enabled", + "Checks": [ + "guardduty_is_enabled" + ], + "Attributes": [ + { + "Title": "GuardDuty enabled", + "Section": "3. Logging and Monitoring", + "SubSection": "3.2 Threat Detection", + "AttributeDescription": "Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior.", + "AdditionalInformation": "GuardDuty analyzes CloudTrail, VPC Flow Logs, and DNS logs to identify threats.", + "LevelOfRisk": 4, + "Weight": 100 + } + ] + }, + { + "Id": "4.1.1", + "Description": "Ensure S3 buckets have default encryption enabled", + "Checks": [ + "s3_bucket_default_encryption" + ], + "Attributes": [ + { + "Title": "S3 default encryption", + "Section": "4. Encryption", + "SubSection": "4.1 Data at Rest", + "AttributeDescription": "Enabling default encryption on S3 buckets ensures all objects are encrypted when stored.", + "AdditionalInformation": "Use SSE-S3, SSE-KMS, or SSE-C depending on your key management requirements.", + "LevelOfRisk": 3, + "Weight": 10 + } + ] + }, + { + "Id": "4.1.2", + "Description": "Ensure EBS volumes are encrypted", + "Checks": [ + "ec2_ebs_volume_encryption" + ], + "Attributes": [ + { + "Title": "EBS volume encryption", + "Section": "4. Encryption", + "SubSection": "4.1 Data at Rest", + "AttributeDescription": "EBS volume encryption protects data at rest on EC2 instance storage.", + "AdditionalInformation": "Enable default EBS encryption at the account level to ensure all new volumes are encrypted.", + "LevelOfRisk": 3, + "Weight": 10 + } + ] + }, + { + "Id": "4.2.1", + "Description": "Ensure data in transit is encrypted using TLS", + "Checks": [ + "s3_bucket_secure_transport_policy" + ], + "Attributes": [ + { + "Title": "S3 secure transport", + "Section": "4. Encryption", + "SubSection": "4.2 Data in Transit", + "AttributeDescription": "Requiring HTTPS for S3 bucket access ensures data is encrypted during transmission.", + "AdditionalInformation": "Use bucket policies to deny requests that do not use TLS.", + "LevelOfRisk": 3, + "Weight": 10 + } + ] + } + ] +} diff --git a/skills/prowler-compliance/references/compliance-docs.md b/skills/prowler-compliance/references/compliance-docs.md index 6d53252cfe..62d619953f 100644 --- a/skills/prowler-compliance/references/compliance-docs.md +++ b/skills/prowler-compliance/references/compliance-docs.md @@ -1,15 +1,137 @@ # Compliance Framework Documentation -## Local Documentation +## Code References -For detailed compliance framework patterns, see: +Key files for understanding and modifying compliance frameworks: -- `docs/developer-guide/security-compliance-framework.mdx` - Complete guide for creating compliance frameworks (CIS, NIST, PCI-DSS, SOC2, GDPR) +| File | Purpose | +|------|---------| +| `prowler/lib/check/compliance_models.py` | Pydantic models defining attribute structures for each framework type | +| `prowler/lib/check/compliance.py` | Core compliance processing logic | +| `prowler/lib/check/utils.py` | Utility functions including `list_compliance_modules()` | +| `prowler/lib/outputs/compliance/` | Framework-specific output generators | +| `prowler/compliance/{provider}/` | JSON compliance framework definitions | -## Contents +## Attribute Model Classes -The documentation covers: -- Framework JSON structure -- Framework metadata (name, version, provider) -- Requirements array with IDs, descriptions, and attributes -- Check mappings for each requirement +Each framework type has a specific Pydantic model in `compliance_models.py`: + +| Framework | Model Class | +|-----------|-------------| +| CIS | `CIS_Requirement_Attribute` | +| ISO 27001 | `ISO27001_2013_Requirement_Attribute` | +| ENS | `ENS_Requirement_Attribute` | +| MITRE ATT&CK | `Mitre_Requirement` (uses different structure) | +| AWS Well-Architected | `AWS_Well_Architected_Requirement_Attribute` | +| KISA ISMS-P | `KISA_ISMSP_Requirement_Attribute` | +| Prowler ThreatScore | `Prowler_ThreatScore_Requirement_Attribute` | +| CCC | `CCC_Requirement_Attribute` | +| C5 Germany | `C5Germany_Requirement_Attribute` | +| Generic/Fallback | `Generic_Compliance_Requirement_Attribute` | + +## How Compliance Frameworks are Loaded + +1. `Compliance.get_bulk(provider)` is called at startup +2. Scans `prowler/compliance/{provider}/` for `.json` files +3. Each file is parsed using `load_compliance_framework()` +4. Pydantic validates against `Compliance` model +5. Framework is stored in dictionary with filename (without `.json`) as key + +## How Checks Map to Compliance + +1. After loading, `update_checks_metadata_with_compliance()` is called +2. For each check, it finds all compliance requirements that reference it +3. Compliance info is attached to `CheckMetadata.Compliance` list +4. During output, `get_check_compliance()` retrieves mappings per finding + +## File Naming Convention + +``` +{framework}_{version}_{provider}.json +``` + +Examples: +- `cis_5.0_aws.json` +- `iso27001_2022_azure.json` +- `mitre_attack_gcp.json` +- `ens_rd2022_aws.json` +- `nist_800_53_revision_5_aws.json` + +## Validation + +Prowler validates compliance JSON at startup. Invalid files cause: +- `ValidationError` logged with details +- Application exit with error code + +Common validation errors: +- Missing required fields (`Id`, `Description`, `Checks`, `Attributes`) +- Invalid enum values (e.g., `Profile` must be "Level 1" or "Level 2" for CIS) +- Type mismatches (e.g., `Checks` must be array of strings) + +## Adding a New Framework + +1. Create JSON file in `prowler/compliance/{provider}/` +2. Use appropriate attribute model (see table above) +3. Map existing checks to requirements via `Checks` array +4. Use empty `Checks: []` for manual-only requirements +5. Test with `prowler {provider} --list-compliance` to verify loading +6. Run `prowler {provider} --compliance {framework_name}` to test execution + +## Templates + +See `assets/` directory for example templates: +- `cis_framework.json` - CIS Benchmark template +- `iso27001_framework.json` - ISO 27001 template +- `ens_framework.json` - ENS (Spain) template +- `mitre_attack_framework.json` - MITRE ATT&CK template +- `prowler_threatscore_framework.json` - Prowler ThreatScore template +- `generic_framework.json` - Generic/custom framework template + +## Prowler ThreatScore Details + +Prowler ThreatScore is a custom security scoring framework that calculates an overall security posture score based on: + +### Four Pillars +1. **IAM (Identity and Access Management)** + - SubSections: Authentication, Authorization, Credentials Management + +2. **Attack Surface** + - SubSections: Network Exposure, Storage Exposure, Service Exposure + +3. **Logging and Monitoring** + - SubSections: Audit Logging, Threat Detection, Alerting + +4. **Encryption** + - SubSections: Data at Rest, Data in Transit + +### Scoring Algorithm +The ThreatScore uses `LevelOfRisk` and `Weight` to calculate severity: + +| LevelOfRisk | Weight | Example Controls | +|-------------|--------|------------------| +| 5 (Critical) | 1000 | Root MFA, No root access keys, Public S3 buckets | +| 4 (High) | 100 | User MFA, Public EC2, GuardDuty enabled | +| 3 (Medium) | 10 | Password policies, EBS encryption, CloudTrail | +| 2 (Low) | 1-10 | Best practice recommendations | +| 1 (Info) | 1 | Informational controls | + +### ID Numbering Convention +- `1.x.x` - IAM controls +- `2.x.x` - Attack Surface controls +- `3.x.x` - Logging and Monitoring controls +- `4.x.x` - Encryption controls + +## External Resources + +### Official Framework Documentation +- [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks) +- [ISO 27001:2022](https://www.iso.org/standard/27001) +- [NIST 800-53](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final) +- [NIST CSF](https://www.nist.gov/cyberframework) +- [PCI DSS](https://www.pcisecuritystandards.org/) +- [MITRE ATT&CK](https://attack.mitre.org/) +- [ENS (Spain)](https://www.ccn-cert.cni.es/es/ens.html) + +### Prowler Documentation +- [Prowler Docs - Compliance](https://docs.prowler.com/projects/prowler-open-source/en/latest/) +- [Prowler GitHub](https://github.com/prowler-cloud/prowler)