[ { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-ap-northeast-1-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-1", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:ap-northeast-1:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "ap-northeast-1" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:ap-northeast-1:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-1" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-ap-northeast-2-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-2", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:ap-northeast-2:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "ap-northeast-2" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:ap-northeast-2:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-2" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-ap-northeast-3-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-3", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:ap-northeast-3:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "ap-northeast-3" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:ap-northeast-3:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-3" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-ap-south-1-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-south-1", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:ap-south-1:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "ap-south-1" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:ap-south-1:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-south-1" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-ap-southeast-1-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-1", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:ap-southeast-1:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "ap-southeast-1" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:ap-southeast-1:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-1" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-ap-southeast-2-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-2", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:ap-southeast-2:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "ap-southeast-2" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:ap-southeast-2:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-2" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-ca-central-1-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ca-central-1", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:ca-central-1:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "ca-central-1" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:ca-central-1:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ca-central-1" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-eu-central-1-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-central-1", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:eu-central-1:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "eu-central-1" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:eu-central-1:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-central-1" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-eu-north-1-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-north-1", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:eu-north-1:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "eu-north-1" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:eu-north-1:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-north-1" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-eu-west-1-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-1", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:eu-west-1:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "eu-west-1" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:eu-west-1:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-1" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-eu-west-2-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-2", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:eu-west-2:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "eu-west-2" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:eu-west-2:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-2" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-eu-west-3-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-3", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:eu-west-3:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "eu-west-3" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:eu-west-3:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-3" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-sa-east-1-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "sa-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:sa-east-1:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "sa-east-1" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:sa-east-1:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "sa-east-1" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-us-east-1-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:us-east-1:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "us-east-1" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:us-east-1:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-us-east-2-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-2", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:us-east-2:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "us-east-2" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:us-east-2:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-2" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-us-west-1-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-1", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:us-west-1:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "us-west-1" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:us-west-1:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-1" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Access Analyzer in account 211203495394 is not enabled.", "metadata": { "event_code": "accessanalyzer_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM Access Analyzer in account 211203495394 is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html", "https://aws.amazon.com/iam/access-analyzer/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html", "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.e", "11.1.1", "11.2.1", "11.2.2.e" ], "CIS-6.0": [ "2.19" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR04", "CCC.IAM.CN11.AR01" ], "CIS-2.0": [ "1.20" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.6" ], "CIS-4.0.1": [ "1.20" ], "CIS-3.0": [ "1.20" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.04B", "IAM-06.01AC", "IAM-10.01B", "IAM-10.02B", "INQ-04.01AC", "PSS-08.03B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.20" ], "CIS-5.0": [ "1.19" ], "CIS-1.5": [ "1.20" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Create analyzers in each active regions", "Verify that events are present in SecurityHub aggregated view" ], "NIST-CSF-2.0": [ "po_3", "po_4", "ov_2", "ov_3", "ac_1", "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.", "title": "IAM Access Analyzer is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-accessanalyzer_enabled-211203495394-us-west-2-analyzer/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-2", "data": { "details": "", "metadata": { "arn": "arn:aws:accessanalyzer:us-west-2:211203495394:analyzer/unknown", "name": "analyzer/unknown", "status": "NOT_AVAILABLE", "findings": [], "tags": [], "type": "", "region": "us-west-2" } }, "group": { "name": "accessanalyzer" }, "labels": [], "name": "analyzer/unknown", "type": "Other", "uid": "arn:aws:accessanalyzer:us-west-2:211203495394:analyzer/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-2" }, "remediation": { "desc": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.", "references": [ "https://hub.prowler.com/check/accessanalyzer_enabled" ] }, "risk_details": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Contact Information.", "metadata": { "event_code": "account_maintain_current_contact_details", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "MANUAL", "status_detail": "Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Contact Information.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/knowledge-center/update-phone-number", "https://support.stax.io/docs/accounts/update-aws-account-contact-details", "https://maartenbruntink.nl/blog/2022/09/26/aws-account-hygiene-101-mass-updating-alternate-account-contacts/", "https://docs.aws.amazon.com/security-ir/latest/userguide/update-account-contact-info.html", "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact-primary.html", "https://repost.aws/knowledge-center/add-update-billing-contact", "https://aws.amazon.com/blogs/security/update-the-alternate-security-contact-across-your-aws-accounts-for-timely-security-notifications/", "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_update_contacts.html", "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact-alternate.html" ], "notes": "", "compliance": { "NIS2": [ "2.2.3", "3.5.3.a", "5.1.7.b" ], "CIS-6.0": [ "2.1" ], "CIS-2.0": [ "1.1" ], "CSA-CCM-4.0": [ "SEF-08" ], "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "CIS-4.0.1": [ "1.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP03", "SEC10-BP01" ], "CIS-3.0": [ "1.1" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "C5-2025": [ "IAM-03.01AS", "IAM-06.06B", "SSO-05.06B", "SIM-01.03B", "INQ-02.01B" ], "ISO27001-2022": [ "A.5.5" ], "CIS-1.4": [ "1.1" ], "CIS-5.0": [ "1.1" ], "CIS-1.5": [ "1.1" ], "AWS-Account-Security-Onboarding": [ "Billing, emergency, security contacts" ], "ENS-RD2022": [ "op.ext.7.aws.am.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS account contact information** is current for the **primary contact** and the **alternate contacts** for `security`, `billing`, and `operations`, with accurate email addresses and phone numbers.", "title": "AWS account contact information is current", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-account_maintain_current_contact_details-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "account" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:iam::211203495394:root" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Adopt:\n- **Primary** and **alternate contacts** for `security`, `billing`, `operations`\n- Shared, monitored aliases and SMS-capable phone numbers (non-personal)\n- Centralized management across accounts with periodic reviews\n- **Least privilege** for who can modify contact data\n- Regular reachability tests and documented ownership", "references": [ "https://hub.prowler.com/check/account_maintain_current_contact_details" ] }, "risk_details": "Outdated or single-person contacts delay **security notifications**, slow **incident response**, and complicate **account recovery**.\n\nAWS may throttle services during abuse mitigation, reducing **availability**. Missed alerts enable ongoing misuse, risking **data exfiltration** and unauthorized changes (**integrity**).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "SECURITY, BILLING and OPERATIONS contacts not found or they are not different between each other and between ROOT contact.", "metadata": { "event_code": "account_maintain_different_contact_details_to_security_billing_and_operations", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "SECURITY, BILLING and OPERATIONS contacts not found or they are not different between each other and between ROOT contact.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/account_alternate_contact", "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact-alternate.html", "https://builder.aws.com/content/2qRw97fe8JFwfk2AbpJ3sYNpNvM/aws-bulk-update-alternate-contacts-across-organization", "https://github.com/aws-samples/aws-account-alternate-contact-with-terraform", "https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/account-security-alternate-contacts.html", "https://repost.aws/articles/ARDFbpt-bvQ8iuErnqVVcCXQ/managing-aws-organization-alternate-contacts-via-csv" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "SEF-08" ], "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "C5-2025": [ "OIS-04.03B", "IAM-06.06B", "SSO-05.06B", "SIM-01.03B", "INQ-02.01B" ], "ISO27001-2022": [ "A.5.6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS account alternate contacts** are defined for **Security**, **Billing**, and **Operations** with `name`, `email`, and `phone`. The finding evaluates that all three exist, are distinct from one another, and differ from the **primary (root) contact**.", "title": "AWS account has distinct Security, Billing, and Operations contact details, different from each other and from the root contact", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-account_maintain_different_contact_details_to_security_billing_and_operations-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "account" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:iam::211203495394:root" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Maintain distinct, monitored **Security**, **Billing**, and **Operations** alternate contacts that differ from the root contact.\n- Use team aliases and 24x7 phones\n- Review and test contact paths regularly\n- Centralize at org level for consistency\n\nApplies **operational resilience** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/account_maintain_different_contact_details_to_security_billing_and_operations" ] }, "risk_details": "Missing or shared contacts can delay response to abuse alerts, credential compromise, or billing anomalies, reducing **availability** (possible AWS traffic throttling) and raising **confidentiality** and **integrity** risk through extended exposure. If AWS cannot reach you, urgent mitigation may disrupt service.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Alternate Contacts -> Security Section.", "metadata": { "event_code": "account_security_contact_information_is_registered", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "MANUAL", "status_detail": "Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Alternate Contacts -> Security Section.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/account_alternate_contact", "https://support.icompaas.com/support/solutions/articles/62000234161-1-2-ensure-security-contact-information-is-registered-manual-", "https://www.plerion.com/cloud-knowledge-base/ensure-security-contact-information-is-registered", "https://repost.aws/articles/ARDFbpt-bvQ8iuErnqVVcCXQ/managing-aws-organization-alternate-contacts-via-csv" ], "notes": "", "compliance": { "NIS2": [ "1.1.1.a", "1.2.3", "2.2.1", "3.1.2.d", "3.5.3.a", "5.1.7.b" ], "CIS-6.0": [ "2.2" ], "CIS-2.0": [ "1.2" ], "CSA-CCM-4.0": [ "SEF-08" ], "PCI-4.0": [ "A1.2.3.1" ], "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "CIS-4.0.1": [ "1.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP03", "SEC10-BP01" ], "CIS-3.0": [ "1.2" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "C5-2025": [ "OIS-06.01B", "SSO-05.06B", "SIM-01.03B" ], "ISO27001-2022": [ "A.5.5" ], "AWS-Foundational-Security-Best-Practices": [ "Account.1" ], "CIS-1.4": [ "1.2" ], "CIS-5.0": [ "1.2" ], "CIS-1.5": [ "1.2" ], "AWS-Account-Security-Onboarding": [ "Billing, emergency, security contacts" ], "ENS-RD2022": [ "op.ext.7.aws.am.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Account settings contain a **Security alternate contact** in Alternate Contacts (name, `EmailAddress`, `PhoneNumber`) for targeted AWS security notifications.", "title": "AWS account has security alternate contact registered", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-account_security_contact_information_is_registered-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "account" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:iam::211203495394:root" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Define and maintain a **Security alternate contact**:\n- Use a monitored alias (e.g., `security@domain`) and team phone\n- Apply to every account (prefer Org-wide automation)\n- Review after org/personnel changes and test delivery\n- Document ownership and escalation paths\nAlign with **incident response** and **least privilege** principles.", "references": [ "https://hub.prowler.com/check/account_security_contact_information_is_registered" ] }, "risk_details": "Missing or outdated **security contact** can delay or prevent AWS advisories from reaching responders, increasing risk to:\n- Confidentiality: data exfiltration from undetected compromise\n- Integrity: unauthorized changes persist longer\n- Availability: resource abuse (e.g., cryptomining) and outages", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Login to the AWS Console as root. Choose your account name on the top right of the window -> My Account -> Configure Security Challenge Questions.", "metadata": { "event_code": "account_security_questions_are_registered_in_the_aws_account", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "MANUAL", "status_detail": "Login to the AWS Console as root. Choose your account name on the top right of the window -> My Account -> Configure Security Challenge Questions.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/security-challenge-questions.html" ], "notes": "", "compliance": { "CIS-2.0": [ "1.3" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.3", "2.10.2" ], "CIS-4.0.1": [ "1.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP03", "SEC10-BP01" ], "CIS-3.0": [ "1.3" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.3", "2.10.2" ], "CIS-1.4": [ "1.3" ], "CIS-1.5": [ "1.3" ], "ENS-RD2022": [ "op.ext.7.aws.am.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "[DEPRECATED] **AWS account root** configuration may include legacy **security challenge questions** for support identity verification. This evaluates whether those questions are set on the account. *New configuration is discontinued by AWS and remaining support for this feature is time-limited.*", "title": "[DEPRECATED] AWS root user has security challenge questions configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-account_security_questions_are_registered_in_the_aws_account-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "account" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:iam::211203495394:root" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Favor stronger recovery instead of KBA:\n- Enforce **MFA for root** and minimize root use\n- Keep **alternate contacts** and root email current and protected\n- Establish a tightly controlled **break-glass role**, applying least privilege and separation of duties\n- Document and test recovery procedures; monitor root activity", "references": [ "https://hub.prowler.com/check/account_security_questions_are_registered_in_the_aws_account" ] }, "risk_details": "Absence of these questions can limit support-assisted recovery if root credentials or MFA are lost, reducing **availability** and slowing **incident response**. Reliance on KBA also weakens **confidentiality** due to **social engineering**. Treat this as a recovery gap and adopt stronger, phishing-resistant factors.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No Backup Vault exist.", "metadata": { "event_code": "backup_vaults_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No Backup Vault exist.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/aws-backup/latest/devguide/vaults.html" ], "notes": "", "compliance": { "NIS2": [ "3.6.2", "4.1.2.f", "4.1.2.g", "4.2.2.b", "4.2.2.e", "12.1.2.c", "12.2.2.b" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-rpl" ], "AWS-Foundational-Technical-Review": [ "BAR-001" ], "CCC-v2025.10": [ "CCC.Core.CN08.AR01", "CCC.Core.CN14.AR01", "CCC.Core.CN14.AR02", "CCC.Core.CN14.AR03" ], "CSA-CCM-4.0": [ "BCR-08" ], "KISA-ISMS-P-2023-korean": [ "2.9.3", "2.12.1" ], "KISA-ISMS-P-2023": [ "2.9.3", "2.12.1" ], "C5-2025": [ "OPS-06.01B", "OPS-07.01B", "OPS-08.01B", "OPS-09.02B", "CRY-16.02B", "DEV-11.02B", "BCM-01.01B", "BCM-01.02B", "BCM-02.01B" ], "ISO27001-2022": [ "A.8.13" ], "SecNumCloud-3.2": [ "12.5", "17.6" ], "NIST-CSF-2.0": [ "be_5", "ds_3", "ip_4", "rc_rp_1" ], "ENS-RD2022": [ "mp.info.6.aws.bcku.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Backup** in the account/region includes at least one **backup vault** that stores and organizes recovery points for use by backup plans and copies.", "title": "At least one AWS Backup vault exists", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-backup_vaults_exist-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "backup" }, "labels": [], "name": "211203495394", "type": "AwsBackupBackupVault", "uid": "arn:aws:backup:us-east-1:211203495394:backup-vault" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Create and maintain a **backup vault** in each required region. Enforce **least privilege** access, encrypt with **KMS CMKs**, and enable **Vault Lock** to prevent tampering. Use lifecycle rules and cross-region/cross-account copies, and regularly test restores for **defense in depth**.", "references": [ "https://hub.prowler.com/check/backup_vaults_exist" ] }, "risk_details": "Without a vault, recovery points cannot be created or retained in AWS Backup, degrading **availability** and **integrity**. Data may be irrecoverable after deletion, ransomware, or misconfiguration, and RPO/RTO targets may be missed during incidents.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-ap-northeast-1-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-1", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:ap-northeast-1:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-1" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-ap-northeast-2-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-2", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:ap-northeast-2:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-2" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-ap-northeast-3-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-3", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:ap-northeast-3:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-3" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-ap-south-1-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "ap-south-1", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:ap-south-1:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-south-1" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-ap-southeast-1-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-1", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:ap-southeast-1:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-1" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-ap-southeast-2-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-2", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:ap-southeast-2:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-2" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-ca-central-1-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "ca-central-1", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:ca-central-1:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ca-central-1" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-eu-central-1-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "eu-central-1", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:eu-central-1:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-central-1" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-eu-north-1-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "eu-north-1", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:eu-north-1:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-north-1" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-eu-west-1-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-1", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:eu-west-1:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-1" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-eu-west-2-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-2", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:eu-west-2:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-2" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-eu-west-3-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-3", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:eu-west-3:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-3" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-sa-east-1-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "sa-east-1", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:sa-east-1:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "sa-east-1" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-us-east-1-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:us-east-1:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-us-east-2-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-2", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:us-east-2:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-2" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-us-west-1-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-1", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:us-west-1:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-1" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Bedrock Model Invocation Logging is disabled.", "metadata": { "event_code": "bedrock_model_invocation_logging_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Bedrock Model Invocation Logging is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready", "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html", "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.GenAI.CN05.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.2" ], "SOC2": [ "cc_a_1_1" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "SSO-05.01AC", "PSS-04.05B" ], "ISO27001-2022": [ "A.8.15" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Bedrock** model invocation logging captures request, response, and metadata for `Converse`, `ConverseStream`, `InvokeModel`, and `InvokeModelWithResponseStream` calls per Region, delivering records to **CloudWatch Logs** and/or **S3** when configured.", "title": "Amazon Bedrock model invocation logging is enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-bedrock_model_invocation_logging_enabled-211203495394-us-west-2-model-invocation-logging" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-2", "data": { "details": "", "metadata": { "enabled": false, "cloudwatch_log_group": null, "s3_bucket": null } }, "group": { "name": "bedrock" }, "labels": [], "name": "model-invocation-logging", "type": "Other", "uid": "arn:aws:bedrock:us-west-2:211203495394:model-invocation-logging" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-2" }, "remediation": { "desc": "Enable **model invocation logging** and route events to **CloudWatch Logs** and/or **S3**.\n\nEnforce **least privilege** on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support **defense in depth** and **separation of duties**.", "references": [ "https://hub.prowler.com/check/bedrock_model_invocation_logging_enabled" ] }, "risk_details": "Without **invocation logs**, you lose **auditability** and **forensic visibility** into model activity.\n\nCredential misuse or **prompt injection/jailbreak** attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens **integrity** controls and slows incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-ap-northeast-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-1" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-ap-northeast-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-2", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-2" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-ap-northeast-3-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-3", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-3" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-ap-south-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-south-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:ap-south-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-south-1" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-ap-southeast-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-1" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-ap-southeast-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-2", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-2" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-ca-central-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ca-central-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:ca-central-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ca-central-1" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-eu-central-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-central-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:eu-central-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-central-1" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-eu-north-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-north-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:eu-north-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-north-1" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-eu-west-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:eu-west-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-1" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-eu-west-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-2", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:eu-west-2:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-2" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-eu-west-3-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-3", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:eu-west-3:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-3" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-sa-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "sa-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:sa-east-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "sa-east-1" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:us-east-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-us-east-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-2", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:us-east-2:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-2" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-us-west-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:us-west-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-1" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled with logging were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled with logging were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_6_ii", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "au-2", "ca-7" ], "CIS-6.0": [ "4.1" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_2_4", "ac_3_1", "ac_3_10", "ac_4_26", "ac_6_9", "au_2_b", "au_3_1", "au_3_a", "au_3_b", "au_3_c", "au_3_d", "au_3_e", "au_3_f", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_8_b", "au_10", "au_12_a", "au_12_c", "au_12_1", "au_12_2", "au_12_3", "au_12_4", "au_14_a", "au_14_b", "au_14_3", "ca_7_b", "cm_5_1_b", "cm_6_a", "cm_9_b", "ia_3_3_b", "ma_4_1_a", "pm_14_a_1", "pm_14_b", "pm_31", "sc_7_9_b", "si_1_1_c", "si_3_8_b", "si_4_2", "si_4_17", "si_4_20", "si_7_8", "si_10_1_c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR03", "CCC.AuditLog.CN02.AR01", "CCC.AuditLog.CN05.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "3.2", "3.2.3", "3.4", "3.4.d", "10.1", "10.2", "10.2.1", "10.2.2", "10.2.3", "10.2.4", "10.2.6", "10.2.7", "10.3", "10.3.1", "10.3.2", "10.3.3", "10.3.4", "10.3.5", "10.3.6", "10.5", "10.5.4" ], "GxP-EU-Annex-11": [ "1-risk-management", "4.2-validation-documentation-change-control" ], "CIS-2.0": [ "3.1" ], "CSA-CCM-4.0": [ "CCC-04", "LOG-07", "LOG-08" ], "GDPR": [ "article_25", "article_30" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.2.1.1.22", "10.2.1.2.19", "10.2.1.3.19", "10.2.1.4.19", "10.2.1.5.19", "10.2.1.6.19", "10.2.1.7.19", "10.2.1.19", "10.2.2.19", "10.3.1.19", "10.6.3.24", "5.3.4.22", "A1.2.1.23" ], "FFIEC": [ "d2-ma-ma-b-1", "d2-ma-ma-b-2", "d3-dc-an-b-3", "d3-dc-an-b-4", "d3-dc-an-b-5", "d3-dc-ev-b-1", "d3-dc-ev-b-3", "d3-pc-im-b-3", "d3-pc-im-b-7", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.1.1" ], "CIS-4.0.1": [ "3.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02", "SEC04-BP03" ], "CIS-3.0": [ "3.1" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_2_1", "cc_7_2", "cc_a_1_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "OIS-05.02B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-15.03B", "IAM-07.04B", "DEV-08.02B", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-12.03AC" ], "AWS-Foundational-Security-Best-Practices": [ "CloudTrail.1" ], "SecNumCloud-3.2": [ "12.2", "12.6", "14.2", "16.6" ], "CIS-1.4": [ "3.1" ], "NIST-800-53-Revision-4": [ "ac_2_4", "ac_2", "au_2", "au_3", "au_12", "cm_2" ], "NIST-CSF-1.1": [ "ae_1", "ae_3", "ae_4", "cm_1", "cm_3", "cm_6", "cm_7", "am_3", "ac_6", "ds_5", "ma_2", "pt_1" ], "CIS-5.0": [ "3.1" ], "CIS-1.5": [ "3.1" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "ac-2-g", "au-2-a-d", "au-3", "au-6-1-3", "au-12-a-c", "ca-7-a-b", "si-4-16", "si-4-2", "si-4-4", "si-4-5" ], "GxP-21-CFR-Part-11": [ "11.10-e", "11.10-k", "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_3", "3_4_1", "3_6_1", "3_6_2", "3_13_1", "3_13_2", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.acc.6.r5.aws.iam.1", "op.exp.5.aws.ct.1", "op.exp.8.aws.ct.1", "op.exp.8.aws.ct.6", "op.exp.9.aws.ct.1", "op.mon.1.aws.ct.1" ], "ISO27001-2013": [ "A.12.4.T" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.", "title": "Region has at least one CloudTrail trail logging", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled-211203495394-us-west-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-2", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:us-west-2:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-2" }, "remediation": { "desc": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled" ] }, "risk_details": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-ap-northeast-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-1", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-1" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-ap-northeast-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-2", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-2" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-ap-northeast-3-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-3", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-3" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-ap-south-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-south-1", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:ap-south-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-south-1" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-ap-southeast-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-1", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-1" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-ap-southeast-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-2", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-2" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-ca-central-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ca-central-1", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:ca-central-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ca-central-1" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-eu-central-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-central-1", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:eu-central-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-central-1" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-eu-north-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-north-1", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:eu-north-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-north-1" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-eu-west-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-1", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:eu-west-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-1" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-eu-west-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-2", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:eu-west-2:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-2" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-eu-west-3-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-3", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:eu-west-3:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-3" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-sa-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "sa-east-1", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:sa-east-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "sa-east-1" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:us-east-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-us-east-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-2", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:us-east-2:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-2" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-us-west-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-1", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:us-west-1:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-1" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudTrail trails enabled and logging management events were found.", "metadata": { "event_code": "cloudtrail_multi_region_enabled_logging_management_events", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No CloudTrail trails enabled and logging management events were found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.a", "3.2.3.c", "3.4.2.c" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.Core.CN04.AR02", "CCC.AuditLog.CN02.AR01", "CCC.Logging.CN01.AR01", "CCC.IAM.CN10.AR02" ], "CSA-CCM-4.0": [ "LOG-07", "LOG-11" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-05.02B", "AM-01.01AC", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "OPS-11.02AC", "OPS-12.01B", "OPS-13.02B", "OPS-13.01AC", "OPS-13.03AC", "OPS-15.01B", "OPS-15.02B", "OPS-15.03B", "OPS-15.01AC", "OPS-26.05B", "OPS-26.01AS", "IAM-07.04B", "DEV-08.02B", "SSO-05.01AC", "SIM-03.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.05B", "PSS-12.02AC", "PSS-12.03AC" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.2", "12.6" ], "AWS-Account-Security-Onboarding": [ "Enable as part of Organization trail" ], "NIST-CSF-2.0": [ "po_4", "ov_3", "pt_1", "ae_1", "ae_3", "cm_1", "cm_3", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.", "title": "CloudTrail trail logs management events for read and write operations", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudtrail_multi_region_enabled_logging_management_events-211203495394-us-west-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-2", "data": { "details": "", "metadata": { "arn:aws:cloudtrail:us-east-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ca-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ca-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-central-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-central-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-north-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-north-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-3:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-3", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:us-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "us-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-southeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-southeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:sa-east-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "sa-east-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-south-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-south-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:ap-northeast-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "ap-northeast-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-2:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-2", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null }, "arn:aws:cloudtrail:eu-west-1:211203495394:trail": { "name": null, "is_multiregion": null, "home_region": null, "arn": null, "region": "eu-west-1", "is_logging": null, "log_file_validation_enabled": null, "latest_cloudwatch_delivery_time": null, "s3_bucket": null, "kms_key": null, "log_group_arn": null, "data_events": [], "tags": [], "has_insight_selectors": null } } }, "group": { "name": "cloudtrail" }, "labels": [], "name": "211203495394", "type": "AwsCloudTrailTrail", "uid": "arn:aws:cloudtrail:us-west-2:211203495394:trail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-2" }, "remediation": { "desc": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.", "references": [ "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events" ] }, "risk_details": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudWatch log groups found with metric filters or alarms associated.", "metadata": { "event_code": "cloudwatch_changes_to_network_acls_alarm_configured", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "No CloudWatch log groups found with metric filters or alarms associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", "https://www.clouddefense.ai/compliance-rules/cis-v130/monitoring/cis-v130-4-11", "https://support.icompaas.com/support/solutions/articles/62000084031-ensure-a-log-metric-filter-and-alarm-exist-for-changes-to-network-access-control-lists-nacl-", "https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/network-acl-changes-alarm.html", "https://support.icompaas.com/support/solutions/articles/62000233134-4-11-ensure-network-access-control-list-nacl-changes-are-monitored-manual-" ], "notes": "Logging and Monitoring", "compliance": { "NIS2": [ "2.2.3", "3.2.3.a", "3.2.3.c", "3.2.3.f", "6.4.1" ], "HIPAA": [ "164_308_a_6_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ca-7", "ir-4" ], "CIS-6.0": [ "5.11" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_2", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31", "sc_36_1_a", "si_2_a", "si_4_12", "si_5_1", "si_5_b" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR03", "CCC.Core.CN04.AR01" ], "CIS-2.0": [ "4.11" ], "CSA-CCM-4.0": [ "CCC-07", "LOG-05" ], "FFIEC": [ "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.12" ], "CIS-4.0.1": [ "4.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.11" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "SOC2": [ "cc_5_2", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OIS-04.03B", "OIS-04.01AC", "OIS-04.02AC", "HR-03.02AC", "AM-09.03AC", "OPS-11.02AC", "OPS-13.03AC", "OPS-26.05B", "OPS-26.01AS", "OPS-26.06B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.9" ], "CIS-1.4": [ "4.11" ], "NIST-800-53-Revision-4": [ "ac_2_4", "au_6_1", "au_6_3", "au_7_1", "ca_7", "ir_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4" ], "NIST-CSF-1.1": [ "ae_5", "cm_2", "cm_5", "cp_4", "ra_5" ], "CIS-5.0": [ "4.11" ], "CIS-1.5": [ "4.11" ], "NIST-CSF-2.0": [ "ra_5", "cm_1", "dp_4" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "au-6-1-3", "au-7-1", "ca-7-a-b", "ir-4-1", "ir-4-1", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "NIST-800-171-Revision-2": [ "3_6_1", "3_6_2", "3_12_4" ], "MITRE-ATTACK": [ "T1496" ], "ISO27001-2013": [ "A.12.4.D" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "CloudTrail records for **Network ACL changes** are matched by a CloudWatch Logs metric filter with an associated alarm for events like `CreateNetworkAcl`, `CreateNetworkAclEntry`, `DeleteNetworkAcl`, `DeleteNetworkAclEntry`, `ReplaceNetworkAclEntry`, and `ReplaceNetworkAclAssociation`.", "title": "CloudWatch log metric filter and alarm exist for Network ACL (NACL) change events", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis" ], "uid": "prowler-aws-cloudwatch_changes_to_network_acls_alarm_configured-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudwatch" }, "labels": [], "name": "211203495394", "type": "AwsCloudWatchAlarm", "uid": "arn:aws:logs:us-east-1:211203495394:log-group" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Implement a CloudWatch Logs metric filter and alarm for NACL change events from CloudTrail and route alerts to responders. Enforce **least privilege** on NACL management, require **change control**, and use **defense in depth** with configuration monitoring and flow logs to validate and monitor network posture.", "references": [ "https://hub.prowler.com/check/cloudwatch_changes_to_network_acls_alarm_configured" ] }, "risk_details": "Absent monitoring of **NACL changes** reduces detection of policy tampering, risking loss of **confidentiality** (opened ingress/egress), degraded network **integrity** (lateral movement, bypassed segmentation), and reduced **availability** (traffic blackholes or lockouts).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudWatch log groups found with metric filters or alarms associated.", "metadata": { "event_code": "cloudwatch_changes_to_network_gateways_alarm_configured", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "No CloudWatch log groups found with metric filters or alarms associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", "https://support.icompaas.com/support/solutions/articles/62000083807-ensure-a-log-metric-filter-and-alarm-exist-for-changes-to-network-gateways", "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-12", "https://paper.bobylive.com/Security/CIS/CIS_Amazon_Web_Services_Foundations_Benchmark_v1_3_0.pdf" ], "notes": "Logging and Monitoring", "compliance": { "NIS2": [ "2.2.3", "3.2.3.a", "3.2.3.c", "3.2.3.f", "3.2.4", "6.4.1" ], "HIPAA": [ "164_308_a_6_i" ], "FedRAMP-Low-Revision-4": [ "ir-4" ], "CIS-6.0": [ "5.12" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_2", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31", "sc_36_1_a", "si_2_a", "si_4_12", "si_5_1", "si_5_b" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR03", "CCC.Core.CN04.AR01" ], "CIS-2.0": [ "4.12" ], "CSA-CCM-4.0": [ "CCC-07", "LOG-05" ], "FFIEC": [ "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.13" ], "CIS-4.0.1": [ "4.12" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.12" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "SOC2": [ "cc_5_2", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OIS-04.03B", "OIS-04.01AC", "OIS-04.02AC", "HR-03.02AC", "AM-09.03AC", "OPS-11.02AC", "OPS-13.03AC", "OPS-26.05B", "OPS-26.01AS", "OPS-26.06B", "COS-03.02B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.9" ], "CIS-1.4": [ "4.12" ], "NIST-800-53-Revision-4": [ "ac_2_4", "au_6_1", "au_6_3", "au_7_1", "ca_7", "ir_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4" ], "NIST-CSF-1.1": [ "ae_5", "cm_2", "cm_5", "cp_4", "ra_5" ], "CIS-5.0": [ "4.12" ], "CIS-1.5": [ "4.12" ], "NIST-CSF-2.0": [ "ra_5", "ae_2", "ae_3", "cm_1", "dp_4" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "au-6-1-3", "au-7-1", "ca-7-a-b", "ir-4-1", "ir-4-1", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "NIST-800-171-Revision-2": [ "3_6_1", "3_6_2", "3_12_4" ], "MITRE-ATTACK": [ "T1496" ], "ISO27001-2013": [ "A.12.4.C" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "CloudWatch log metric filters and alarms for **network gateway changes** are identified by matching CloudTrail events such as `CreateCustomerGateway`, `DeleteCustomerGateway`, `AttachInternetGateway`, `CreateInternetGateway`, `DeleteInternetGateway`, and `DetachInternetGateway` in log groups that receive trail logs.", "title": "CloudWatch Logs metric filter and alarm exist for changes to network gateways", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "TTPs/Command and Control" ], "uid": "prowler-aws-cloudwatch_changes_to_network_gateways_alarm_configured-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudwatch" }, "labels": [], "name": "211203495394", "type": "AwsCloudWatchAlarm", "uid": "arn:aws:logs:us-east-1:211203495394:log-group" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Send CloudTrail to CloudWatch Logs and create a metric filter for the listed gateway events with an alarm that notifies responders. Enforce **least privilege** for gateway modifications, require change approvals, and route alerts to monitored channels as part of **defense in depth**.", "references": [ "https://hub.prowler.com/check/cloudwatch_changes_to_network_gateways_alarm_configured" ] }, "risk_details": "Without this monitoring, gateway changes can expose private networks to the Internet or break connectivity. Adversaries or mistakes can enable data exfiltration, bypass network inspection, and trigger outages via deletions or detachments, impacting **confidentiality** and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudWatch log groups found with metric filters or alarms associated.", "metadata": { "event_code": "cloudwatch_changes_to_network_route_tables_alarm_configured", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "No CloudWatch log groups found with metric filters or alarms associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html" ], "notes": "", "compliance": { "NIS2": [ "2.2.3", "3.2.3.a", "3.2.3.f", "3.2.4", "6.4.1" ], "HIPAA": [ "164_308_a_6_i" ], "FedRAMP-Low-Revision-4": [ "ir-4" ], "CIS-6.0": [ "5.13" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_2", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31", "sc_36_1_a", "si_2_a", "si_4_12", "si_5_1", "si_5_b" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR03", "CCC.Core.CN04.AR01" ], "CIS-2.0": [ "4.13" ], "CSA-CCM-4.0": [ "CCC-07", "LOG-05" ], "FFIEC": [ "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.14" ], "CIS-4.0.1": [ "4.13" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.13" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "SOC2": [ "cc_5_2", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OIS-04.03B", "OIS-04.01AC", "OIS-04.02AC", "HR-03.02AC", "AM-09.03AC", "OPS-13.03AC", "OPS-26.06B", "COS-03.02B", "PSS-04.01B" ], "SecNumCloud-3.2": [ "12.9" ], "CIS-1.4": [ "4.13" ], "NIST-800-53-Revision-4": [ "ac_2_4", "au_6_1", "au_6_3", "au_7_1", "ca_7", "ir_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4" ], "NIST-CSF-1.1": [ "ae_5", "cm_2", "cm_5", "cp_4", "ra_5" ], "CIS-5.0": [ "4.13" ], "CIS-1.5": [ "4.13" ], "NIST-CSF-2.0": [ "ae_2", "ae_3", "cm_1", "dp_4" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "au-6-1-3", "au-7-1", "ca-7-a-b", "ir-4-1", "ir-4-1", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "NIST-800-171-Revision-2": [ "3_6_1", "3_6_2", "3_12_4" ], "MITRE-ATTACK": [ "T1496" ], "ISO27001-2013": [ "A.12.4.B" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**VPC route table changes** are captured from **CloudTrail logs** by a **CloudWatch Logs metric filter** with an associated **alarm** for events like `CreateRoute`, `CreateRouteTable`, `ReplaceRoute`, `ReplaceRouteTableAssociation`, `DeleteRoute`, `DeleteRouteTable`, and `DisassociateRouteTable`.", "title": "Account monitors VPC route table changes with a CloudWatch Logs metric filter and alarm", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "Software and Configuration Checks/AWS Security Best Practices", "TTPs/Defense Evasion", "Effects/Data Exfiltration" ], "uid": "prowler-aws-cloudwatch_changes_to_network_route_tables_alarm_configured-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudwatch" }, "labels": [], "name": "211203495394", "type": "AwsCloudWatchAlarm", "uid": "arn:aws:logs:us-east-1:211203495394:log-group" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Implement a **CloudWatch Logs metric filter and alarm** on CloudTrail for these route table events and notify responders. Enforce **least privilege** for route modifications, require **change control**, and apply **defense in depth** with VPC Flow Logs and guardrails to prevent and quickly contain unsafe routing changes.", "references": [ "https://hub.prowler.com/check/cloudwatch_changes_to_network_route_tables_alarm_configured" ] }, "risk_details": "Without monitoring of **route table changes**, unauthorized or accidental edits can redirect traffic, bypass inspection, or blackhole routes, impacting **confidentiality** (exfiltration), **integrity** (tampered paths), and **availability** (outages from misrouted traffic).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudWatch log groups found with metric filters or alarms associated.", "metadata": { "event_code": "cloudwatch_changes_to_vpcs_alarm_configured", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "No CloudWatch log groups found with metric filters or alarms associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html" ], "notes": "Logging and Monitoring", "compliance": { "NIS2": [ "2.2.3", "3.2.3.c", "3.2.3.f", "3.2.4", "6.4.1" ], "HIPAA": [ "164_308_a_6_i" ], "FedRAMP-Low-Revision-4": [ "ir-4" ], "CIS-6.0": [ "5.14" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_2", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31", "sc_36_1_a", "si_2_a", "si_4_12", "si_5_1", "si_5_b" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR03", "CCC.Core.CN04.AR01" ], "CIS-2.0": [ "4.14" ], "CSA-CCM-4.0": [ "LOG-05" ], "FFIEC": [ "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.15" ], "CIS-4.0.1": [ "4.14" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.14" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2", "2.11.3" ], "SOC2": [ "cc_5_2", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OIS-04.03B", "OIS-04.01AC", "OIS-04.02AC", "HR-03.02AC", "AM-09.03AC", "OPS-11.02AC", "OPS-13.03AC", "OPS-26.05B", "OPS-26.01AS", "OPS-26.06B", "COS-03.02B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16", "A.8.20", "A.8.21", "A.8.22" ], "SecNumCloud-3.2": [ "12.9" ], "CIS-1.4": [ "4.14" ], "NIST-800-53-Revision-4": [ "ac_2_4", "au_6_1", "au_6_3", "au_7_1", "ca_7", "ir_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4" ], "NIST-CSF-1.1": [ "ae_5", "cm_2", "cm_5", "cp_4", "ra_5" ], "CIS-5.0": [ "4.14" ], "CIS-1.5": [ "4.14" ], "NIST-CSF-2.0": [ "ra_5", "ae_2", "cm_1" ], "FedRamp-Moderate-Revision-4": [ "ac-2-4", "au-6-1-3", "au-7-1", "ca-7-a-b", "ir-4-1", "ir-4-1", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "NIST-800-171-Revision-2": [ "3_6_1", "3_6_2", "3_12_4" ], "MITRE-ATTACK": [ "T1496" ], "ISO27001-2013": [ "A.12.4.A" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail events** for **VPC configuration changes** are captured in CloudWatch Logs with a metric filter and an associated alarm. The filter targets actions like `CreateVpc`, `DeleteVpc`, `ModifyVpcAttribute`, and VPC peering operations to surface when network topology is altered.", "title": "AWS account has a CloudWatch Logs metric filter and alarm for VPC changes", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-cloudwatch_changes_to_vpcs_alarm_configured-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudwatch" }, "labels": [], "name": "211203495394", "type": "AwsCloudWatchAlarm", "uid": "arn:aws:logs:us-east-1:211203495394:log-group" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Create a CloudWatch Logs metric filter and alarm on CloudTrail for critical **VPC change events**, and notify responders. Apply **least privilege** to network changes, require change approvals, and use **defense in depth** (segmentation, route controls) to prevent and contain unauthorized modifications.", "references": [ "https://hub.prowler.com/check/cloudwatch_changes_to_vpcs_alarm_configured" ] }, "risk_details": "Without alerting on VPC changes, unauthorized or accidental edits to routes, peering, or attributes can go unnoticed, exposing private networks and enabling data exfiltration (C), lateral movement and traffic tampering (I), and outages from misrouted or bridged networks (A).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "CloudWatch doesn't allow cross-account sharing.", "metadata": { "event_code": "cloudwatch_cross_account_sharing_disabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "CloudWatch doesn't allow cross-account sharing.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "trust-boundaries", "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.html" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP01" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.1", "2.10.2" ], "SOC2": [ "pi_1_4" ], "C5-2025": [ "OIS-04.01AC", "PSS-04.01B" ], "ENS-RD2022": [ "op.acc.4.aws.iam.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon CloudWatch** cross-account sharing via the `CloudWatch-CrossAccountSharingRole` allows other AWS accounts to view your metrics, dashboards, and alarms. The presence of this role indicates that sharing is active.", "title": "CloudWatch does not allow cross-account sharing", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Effects/Data Exposure" ], "uid": "prowler-aws-cloudwatch_cross_account_sharing_disabled-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudwatch" }, "labels": [], "name": "211203495394", "type": "AwsIamRole", "uid": "arn:aws:iam:us-east-1:211203495394:role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Disable **cross-account sharing** unless strictly required. If needed, restrict access to specific trusted accounts, scope read-only permissions to only necessary resources, and use a dedicated monitoring account. Apply **least privilege** and **separation of duties**, and regularly audit role trust and access patterns.", "references": [ "https://hub.prowler.com/check/cloudwatch_cross_account_sharing_disabled" ] }, "risk_details": "Granting other accounts visibility into observability data reduces **confidentiality** and enables **reconnaissance**. Adversaries or over-privileged partners can map architectures, profile workloads, and spot alerting gaps, increasing chances of **lateral movement** and **evasion**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Log Group /aws/vpc/flow-logs/cfi-1776042944-vpc does not have AWS KMS keys associated.", "metadata": { "event_code": "cloudwatch_log_group_kms_encryption_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Log Group /aws/vpc/flow-logs/cfi-1776042944-vpc does not have AWS KMS keys associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "encryption" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/cli/latest/reference/logs/associate-kms-key.html", "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group", "https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/logs/client/associate_kms_key.html", "https://support.icompaas.com/support/solutions/articles/62000233436-ensure-cloudwatch-log-groups-are-protected-by-aws-kms", "https://varunmanik1.medium.com/proactively-mitigating-a-medium-severity-prowler-issue-enabling-kms-encryption-for-cloudwatch-logs-51d43416c7fc" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_4_ii_a", "164_312_a_2_iv", "164_312_e_2_ii" ], "FedRAMP-Low-Revision-4": [ "au-9" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-mla" ], "NIST-800-53-Revision-5": [ "au_9_3", "cp_9_d", "sc_8_3", "sc_8_4", "sc_13_a", "sc_28_1", "si_19_4" ], "CCC-v2025.10": [ "CCC.Core.CN02.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_1_3" ], "PCI-3.2.1": [ "3.4", "3.4.1", "3.4.1.a", "3.4.1.c", "3.4.a", "3.4.b", "3.4.d", "8.2", "8.2.1", "8.2.1.a" ], "GxP-EU-Annex-11": [ "7.1-data-storage-damage-protection" ], "CSA-CCM-4.0": [ "CEK-03", "LOG-02", "LOG-09" ], "GDPR": [ "article_32" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.3.2.3", "10.3.3.5", "10.3.4.4", "3.5.1.4", "8.3.2.8", "A1.2.1.9" ], "KISA-ISMS-P-2023-korean": [ "2.7.2", "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC08-BP02" ], "KISA-ISMS-P-2023": [ "2.7.2", "2.10.1", "2.10.2" ], "SOC2": [ "cc_7_3", "pi_1_4" ], "C5-2025": [ "OIS-04.01AC", "OIS-08.02B", "AM-01.01AC", "OPS-11.02AC", "OPS-13.03B", "OPS-14.03B", "OPS-26.05B", "OPS-26.01AS", "OPS-31.01B", "IAM-07.03B", "CRY-01.02AC", "CRY-05.02B", "CRY-05.01AC", "PSS-04.01B", "PSS-04.04B", "PSS-12.02B" ], "ISO27001-2022": [ "A.8.11", "A.8.15", "A.8.16", "A.8.24" ], "SecNumCloud-3.2": [ "10.1", "12.7" ], "NIST-800-53-Revision-4": [ "au_9", "sc_28" ], "NIST-CSF-1.1": [ "ds_1" ], "NIST-CSF-2.0": [ "ds_1", "ds_5" ], "FedRamp-Moderate-Revision-4": [ "au-9", "sc-28" ], "GxP-21-CFR-Part-11": [ "11.30" ], "NIST-800-171-Revision-2": [ "3_3_8", "3_13_11", "3_13_16" ], "MITRE-ATTACK": [ "T1040" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch log groups** are assessed for **at-rest encryption** by checking if an **AWS KMS key** is associated with the log group via `kmsKeyId`.", "title": "CloudWatch log group is encrypted with an AWS KMS key", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Effects/Data Exposure" ], "uid": "prowler-aws-cloudwatch_log_group_kms_encryption_enabled-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-1776042944-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776042944-vpc:*", "name": "/aws/vpc/flow-logs/cfi-1776042944-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": {}, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-1776042944-vpc", "type": "Other", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776042944-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Associate each log group with a **customer-managed KMS key** via `kmsKeyId`.\n- Enforce **least privilege** in key and IAM policies, granting `kms:Decrypt` only to required principals\n- Enable rotation and monitor key usage\n- Separate keys by app/tenant to support **defense in depth** and rapid revocation", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_kms_encryption_enabled" ] }, "risk_details": "Without a **customer-managed KMS key**, logs rely on service-managed encryption, limiting control and auditability.\n- Confidentiality: weaker key-policy barriers against unauthorized reads\n- Integrity/availability: no custom rotation or rapid revoke, hindering incident response and compliance", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Log Group /aws/vpc/flow-logs/cfi-1776043129-vpc does not have AWS KMS keys associated.", "metadata": { "event_code": "cloudwatch_log_group_kms_encryption_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Log Group /aws/vpc/flow-logs/cfi-1776043129-vpc does not have AWS KMS keys associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "encryption" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/cli/latest/reference/logs/associate-kms-key.html", "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group", "https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/logs/client/associate_kms_key.html", "https://support.icompaas.com/support/solutions/articles/62000233436-ensure-cloudwatch-log-groups-are-protected-by-aws-kms", "https://varunmanik1.medium.com/proactively-mitigating-a-medium-severity-prowler-issue-enabling-kms-encryption-for-cloudwatch-logs-51d43416c7fc" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_4_ii_a", "164_312_a_2_iv", "164_312_e_2_ii" ], "FedRAMP-Low-Revision-4": [ "au-9" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-mla" ], "NIST-800-53-Revision-5": [ "au_9_3", "cp_9_d", "sc_8_3", "sc_8_4", "sc_13_a", "sc_28_1", "si_19_4" ], "CCC-v2025.10": [ "CCC.Core.CN02.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_1_3" ], "PCI-3.2.1": [ "3.4", "3.4.1", "3.4.1.a", "3.4.1.c", "3.4.a", "3.4.b", "3.4.d", "8.2", "8.2.1", "8.2.1.a" ], "GxP-EU-Annex-11": [ "7.1-data-storage-damage-protection" ], "CSA-CCM-4.0": [ "CEK-03", "LOG-02", "LOG-09" ], "GDPR": [ "article_32" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.3.2.3", "10.3.3.5", "10.3.4.4", "3.5.1.4", "8.3.2.8", "A1.2.1.9" ], "KISA-ISMS-P-2023-korean": [ "2.7.2", "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC08-BP02" ], "KISA-ISMS-P-2023": [ "2.7.2", "2.10.1", "2.10.2" ], "SOC2": [ "cc_7_3", "pi_1_4" ], "C5-2025": [ "OIS-04.01AC", "OIS-08.02B", "AM-01.01AC", "OPS-11.02AC", "OPS-13.03B", "OPS-14.03B", "OPS-26.05B", "OPS-26.01AS", "OPS-31.01B", "IAM-07.03B", "CRY-01.02AC", "CRY-05.02B", "CRY-05.01AC", "PSS-04.01B", "PSS-04.04B", "PSS-12.02B" ], "ISO27001-2022": [ "A.8.11", "A.8.15", "A.8.16", "A.8.24" ], "SecNumCloud-3.2": [ "10.1", "12.7" ], "NIST-800-53-Revision-4": [ "au_9", "sc_28" ], "NIST-CSF-1.1": [ "ds_1" ], "NIST-CSF-2.0": [ "ds_1", "ds_5" ], "FedRamp-Moderate-Revision-4": [ "au-9", "sc-28" ], "GxP-21-CFR-Part-11": [ "11.30" ], "NIST-800-171-Revision-2": [ "3_3_8", "3_13_11", "3_13_16" ], "MITRE-ATTACK": [ "T1040" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch log groups** are assessed for **at-rest encryption** by checking if an **AWS KMS key** is associated with the log group via `kmsKeyId`.", "title": "CloudWatch log group is encrypted with an AWS KMS key", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Effects/Data Exposure" ], "uid": "prowler-aws-cloudwatch_log_group_kms_encryption_enabled-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-1776043129-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043129-vpc:*", "name": "/aws/vpc/flow-logs/cfi-1776043129-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": {}, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-1776043129-vpc", "type": "Other", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043129-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Associate each log group with a **customer-managed KMS key** via `kmsKeyId`.\n- Enforce **least privilege** in key and IAM policies, granting `kms:Decrypt` only to required principals\n- Enable rotation and monitor key usage\n- Separate keys by app/tenant to support **defense in depth** and rapid revocation", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_kms_encryption_enabled" ] }, "risk_details": "Without a **customer-managed KMS key**, logs rely on service-managed encryption, limiting control and auditability.\n- Confidentiality: weaker key-policy barriers against unauthorized reads\n- Integrity/availability: no custom rotation or rapid revoke, hindering incident response and compliance", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Log Group /aws/vpc/flow-logs/cfi-1776043305-vpc does not have AWS KMS keys associated.", "metadata": { "event_code": "cloudwatch_log_group_kms_encryption_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Log Group /aws/vpc/flow-logs/cfi-1776043305-vpc does not have AWS KMS keys associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "encryption" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/cli/latest/reference/logs/associate-kms-key.html", "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group", "https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/logs/client/associate_kms_key.html", "https://support.icompaas.com/support/solutions/articles/62000233436-ensure-cloudwatch-log-groups-are-protected-by-aws-kms", "https://varunmanik1.medium.com/proactively-mitigating-a-medium-severity-prowler-issue-enabling-kms-encryption-for-cloudwatch-logs-51d43416c7fc" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_4_ii_a", "164_312_a_2_iv", "164_312_e_2_ii" ], "FedRAMP-Low-Revision-4": [ "au-9" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-mla" ], "NIST-800-53-Revision-5": [ "au_9_3", "cp_9_d", "sc_8_3", "sc_8_4", "sc_13_a", "sc_28_1", "si_19_4" ], "CCC-v2025.10": [ "CCC.Core.CN02.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_1_3" ], "PCI-3.2.1": [ "3.4", "3.4.1", "3.4.1.a", "3.4.1.c", "3.4.a", "3.4.b", "3.4.d", "8.2", "8.2.1", "8.2.1.a" ], "GxP-EU-Annex-11": [ "7.1-data-storage-damage-protection" ], "CSA-CCM-4.0": [ "CEK-03", "LOG-02", "LOG-09" ], "GDPR": [ "article_32" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.3.2.3", "10.3.3.5", "10.3.4.4", "3.5.1.4", "8.3.2.8", "A1.2.1.9" ], "KISA-ISMS-P-2023-korean": [ "2.7.2", "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC08-BP02" ], "KISA-ISMS-P-2023": [ "2.7.2", "2.10.1", "2.10.2" ], "SOC2": [ "cc_7_3", "pi_1_4" ], "C5-2025": [ "OIS-04.01AC", "OIS-08.02B", "AM-01.01AC", "OPS-11.02AC", "OPS-13.03B", "OPS-14.03B", "OPS-26.05B", "OPS-26.01AS", "OPS-31.01B", "IAM-07.03B", "CRY-01.02AC", "CRY-05.02B", "CRY-05.01AC", "PSS-04.01B", "PSS-04.04B", "PSS-12.02B" ], "ISO27001-2022": [ "A.8.11", "A.8.15", "A.8.16", "A.8.24" ], "SecNumCloud-3.2": [ "10.1", "12.7" ], "NIST-800-53-Revision-4": [ "au_9", "sc_28" ], "NIST-CSF-1.1": [ "ds_1" ], "NIST-CSF-2.0": [ "ds_1", "ds_5" ], "FedRamp-Moderate-Revision-4": [ "au-9", "sc-28" ], "GxP-21-CFR-Part-11": [ "11.30" ], "NIST-800-171-Revision-2": [ "3_3_8", "3_13_11", "3_13_16" ], "MITRE-ATTACK": [ "T1040" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch log groups** are assessed for **at-rest encryption** by checking if an **AWS KMS key** is associated with the log group via `kmsKeyId`.", "title": "CloudWatch log group is encrypted with an AWS KMS key", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Effects/Data Exposure" ], "uid": "prowler-aws-cloudwatch_log_group_kms_encryption_enabled-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-1776043305-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043305-vpc:*", "name": "/aws/vpc/flow-logs/cfi-1776043305-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": { "eni-0be862317c940d4fc-all": [ { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 35940 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204096" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 44547 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204097" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 51535 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204098" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.231.139.74 58586 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204099" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 34842 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204100" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 43583 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204101" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 43526 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204102" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 36996 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204103" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 50070 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204104" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 49313 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204105" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 37582 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204106" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 54039 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204107" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.188.122 40674 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204108" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 55171 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204109" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 48652 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204110" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 36841 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204111" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 48428 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204112" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 38064 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204113" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 51608 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204114" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 37572 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204115" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 58714 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204116" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.216.215.50 57320 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204117" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 33475 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204118" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 38054 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204119" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 38591 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204120" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 46925 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204121" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 50341 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204122" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 45449 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204123" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 57824 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204124" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 58658 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204125" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 36848 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204126" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 53127 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204127" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 43610 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204128" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 49499 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204129" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 43177 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204130" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 47559 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204131" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.191.86 59198 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204132" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.216.39.98 43818 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204133" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 100.54.85.240 52496 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204134" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.199.218 36764 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204135" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 60571 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204136" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 43824 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204137" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.191.161 49206 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204138" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 41325 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204139" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 42961 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204140" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.252.124 52020 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204141" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 37274 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204142" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 33147 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204143" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 60979 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204144" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043897000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.220.37.77 50120 443 6 5 300 1776043897 1776043913 REJECT OK", "ingestionTime": 1776043935931, "eventId": "39607102408402366600278585016565793565449617484711854080" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043930000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.220.37.77 59004 443 6 5 300 1776043930 1776043946 REJECT OK", "ingestionTime": 1776043968748, "eventId": "39607103144326958151789148726918044984659392180918484992" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043964000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 44.216.200.77 52102 443 6 4 240 1776043964 1776043972 REJECT OK", "ingestionTime": 1776043999709, "eventId": "39607103902552294901830335576561959755515298757246779392" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043979000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 44.216.200.77 52102 443 6 1 60 1776043979 1776043980 REJECT OK", "ingestionTime": 1776044030219, "eventId": "39607104237063472879789682736482161463782426772697710592" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 54278 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206080" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 44.216.202.52 57624 443 6 5 300 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206081" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 39347 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206082" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 57660 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206083" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 48495 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206084" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 44506 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206085" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044042000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 44.216.202.52 58184 443 6 5 300 1776044042 1776044058 REJECT OK", "ingestionTime": 1776044088420, "eventId": "39607105642010420387218940723592890307452753646354432000" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044075000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.217.79.194 53486 443 6 5 300 1776044075 1776044091 REJECT OK", "ingestionTime": 1776044118520, "eventId": "39607106377935011938729504430660389555653583637859008512" } ] }, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-1776043305-vpc", "type": "Other", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043305-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Associate each log group with a **customer-managed KMS key** via `kmsKeyId`.\n- Enforce **least privilege** in key and IAM policies, granting `kms:Decrypt` only to required principals\n- Enable rotation and monitor key usage\n- Separate keys by app/tenant to support **defense in depth** and rapid revocation", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_kms_encryption_enabled" ] }, "risk_details": "Without a **customer-managed KMS key**, logs rely on service-managed encryption, limiting control and auditability.\n- Confidentiality: weaker key-policy barriers against unauthorized reads\n- Integrity/availability: no custom rotation or rapid revoke, hindering incident response and compliance", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Log Group /aws/vpc/flow-logs/cfi-1776044303-vpc does not have AWS KMS keys associated.", "metadata": { "event_code": "cloudwatch_log_group_kms_encryption_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Log Group /aws/vpc/flow-logs/cfi-1776044303-vpc does not have AWS KMS keys associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "encryption" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/cli/latest/reference/logs/associate-kms-key.html", "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group", "https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/logs/client/associate_kms_key.html", "https://support.icompaas.com/support/solutions/articles/62000233436-ensure-cloudwatch-log-groups-are-protected-by-aws-kms", "https://varunmanik1.medium.com/proactively-mitigating-a-medium-severity-prowler-issue-enabling-kms-encryption-for-cloudwatch-logs-51d43416c7fc" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_4_ii_a", "164_312_a_2_iv", "164_312_e_2_ii" ], "FedRAMP-Low-Revision-4": [ "au-9" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-mla" ], "NIST-800-53-Revision-5": [ "au_9_3", "cp_9_d", "sc_8_3", "sc_8_4", "sc_13_a", "sc_28_1", "si_19_4" ], "CCC-v2025.10": [ "CCC.Core.CN02.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_1_3" ], "PCI-3.2.1": [ "3.4", "3.4.1", "3.4.1.a", "3.4.1.c", "3.4.a", "3.4.b", "3.4.d", "8.2", "8.2.1", "8.2.1.a" ], "GxP-EU-Annex-11": [ "7.1-data-storage-damage-protection" ], "CSA-CCM-4.0": [ "CEK-03", "LOG-02", "LOG-09" ], "GDPR": [ "article_32" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.3.2.3", "10.3.3.5", "10.3.4.4", "3.5.1.4", "8.3.2.8", "A1.2.1.9" ], "KISA-ISMS-P-2023-korean": [ "2.7.2", "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC08-BP02" ], "KISA-ISMS-P-2023": [ "2.7.2", "2.10.1", "2.10.2" ], "SOC2": [ "cc_7_3", "pi_1_4" ], "C5-2025": [ "OIS-04.01AC", "OIS-08.02B", "AM-01.01AC", "OPS-11.02AC", "OPS-13.03B", "OPS-14.03B", "OPS-26.05B", "OPS-26.01AS", "OPS-31.01B", "IAM-07.03B", "CRY-01.02AC", "CRY-05.02B", "CRY-05.01AC", "PSS-04.01B", "PSS-04.04B", "PSS-12.02B" ], "ISO27001-2022": [ "A.8.11", "A.8.15", "A.8.16", "A.8.24" ], "SecNumCloud-3.2": [ "10.1", "12.7" ], "NIST-800-53-Revision-4": [ "au_9", "sc_28" ], "NIST-CSF-1.1": [ "ds_1" ], "NIST-CSF-2.0": [ "ds_1", "ds_5" ], "FedRamp-Moderate-Revision-4": [ "au-9", "sc-28" ], "GxP-21-CFR-Part-11": [ "11.30" ], "NIST-800-171-Revision-2": [ "3_3_8", "3_13_11", "3_13_16" ], "MITRE-ATTACK": [ "T1040" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch log groups** are assessed for **at-rest encryption** by checking if an **AWS KMS key** is associated with the log group via `kmsKeyId`.", "title": "CloudWatch log group is encrypted with an AWS KMS key", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Effects/Data Exposure" ], "uid": "prowler-aws-cloudwatch_log_group_kms_encryption_enabled-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-1776044303-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776044303-vpc:*", "name": "/aws/vpc/flow-logs/cfi-1776044303-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": {}, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-1776044303-vpc", "type": "Other", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776044303-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Associate each log group with a **customer-managed KMS key** via `kmsKeyId`.\n- Enforce **least privilege** in key and IAM policies, granting `kms:Decrypt` only to required principals\n- Enable rotation and monitor key usage\n- Separate keys by app/tenant to support **defense in depth** and rapid revocation", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_kms_encryption_enabled" ] }, "risk_details": "Without a **customer-managed KMS key**, logs rely on service-managed encryption, limiting control and auditability.\n- Confidentiality: weaker key-policy barriers against unauthorized reads\n- Integrity/availability: no custom rotation or rapid revoke, hindering incident response and compliance", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Log Group /aws/vpc/flow-logs/cfi-20260413t013134z-vpc does not have AWS KMS keys associated.", "metadata": { "event_code": "cloudwatch_log_group_kms_encryption_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Log Group /aws/vpc/flow-logs/cfi-20260413t013134z-vpc does not have AWS KMS keys associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "encryption" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/cli/latest/reference/logs/associate-kms-key.html", "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group", "https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/logs/client/associate_kms_key.html", "https://support.icompaas.com/support/solutions/articles/62000233436-ensure-cloudwatch-log-groups-are-protected-by-aws-kms", "https://varunmanik1.medium.com/proactively-mitigating-a-medium-severity-prowler-issue-enabling-kms-encryption-for-cloudwatch-logs-51d43416c7fc" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_4_ii_a", "164_312_a_2_iv", "164_312_e_2_ii" ], "FedRAMP-Low-Revision-4": [ "au-9" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-mla" ], "NIST-800-53-Revision-5": [ "au_9_3", "cp_9_d", "sc_8_3", "sc_8_4", "sc_13_a", "sc_28_1", "si_19_4" ], "CCC-v2025.10": [ "CCC.Core.CN02.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_1_3" ], "PCI-3.2.1": [ "3.4", "3.4.1", "3.4.1.a", "3.4.1.c", "3.4.a", "3.4.b", "3.4.d", "8.2", "8.2.1", "8.2.1.a" ], "GxP-EU-Annex-11": [ "7.1-data-storage-damage-protection" ], "CSA-CCM-4.0": [ "CEK-03", "LOG-02", "LOG-09" ], "GDPR": [ "article_32" ], "CISA": [ "your-systems-3", "your-data-2" ], "PCI-4.0": [ "10.3.2.3", "10.3.3.5", "10.3.4.4", "3.5.1.4", "8.3.2.8", "A1.2.1.9" ], "KISA-ISMS-P-2023-korean": [ "2.7.2", "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC08-BP02" ], "KISA-ISMS-P-2023": [ "2.7.2", "2.10.1", "2.10.2" ], "SOC2": [ "cc_7_3", "pi_1_4" ], "C5-2025": [ "OIS-04.01AC", "OIS-08.02B", "AM-01.01AC", "OPS-11.02AC", "OPS-13.03B", "OPS-14.03B", "OPS-26.05B", "OPS-26.01AS", "OPS-31.01B", "IAM-07.03B", "CRY-01.02AC", "CRY-05.02B", "CRY-05.01AC", "PSS-04.01B", "PSS-04.04B", "PSS-12.02B" ], "ISO27001-2022": [ "A.8.11", "A.8.15", "A.8.16", "A.8.24" ], "SecNumCloud-3.2": [ "10.1", "12.7" ], "NIST-800-53-Revision-4": [ "au_9", "sc_28" ], "NIST-CSF-1.1": [ "ds_1" ], "NIST-CSF-2.0": [ "ds_1", "ds_5" ], "FedRamp-Moderate-Revision-4": [ "au-9", "sc-28" ], "GxP-21-CFR-Part-11": [ "11.30" ], "NIST-800-171-Revision-2": [ "3_3_8", "3_13_11", "3_13_16" ], "MITRE-ATTACK": [ "T1040" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch log groups** are assessed for **at-rest encryption** by checking if an **AWS KMS key** is associated with the log group via `kmsKeyId`.", "title": "CloudWatch log group is encrypted with an AWS KMS key", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Effects/Data Exposure" ], "uid": "prowler-aws-cloudwatch_log_group_kms_encryption_enabled-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-20260413t013134z-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-20260413t013134z-vpc:*", "name": "/aws/vpc/flow-logs/cfi-20260413t013134z-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": {}, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-20260413t013134z-vpc", "type": "Other", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-20260413t013134z-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Associate each log group with a **customer-managed KMS key** via `kmsKeyId`.\n- Enforce **least privilege** in key and IAM policies, granting `kms:Decrypt` only to required principals\n- Enable rotation and monitor key usage\n- Separate keys by app/tenant to support **defense in depth** and rapid revocation", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_kms_encryption_enabled" ] }, "risk_details": "Without a **customer-managed KMS key**, logs rely on service-managed encryption, limiting control and auditability.\n- Confidentiality: weaker key-policy barriers against unauthorized reads\n- Integrity/availability: no custom rotation or rapid revoke, hindering incident response and compliance", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No secrets found in /aws/vpc/flow-logs/cfi-1776042944-vpc log group.", "metadata": { "event_code": "cloudwatch_log_group_no_secrets_in_logs", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "No secrets found in /aws/vpc/flow-logs/cfi-1776042944-vpc log group.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "secrets" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://support.icompaas.com/support/solutions/articles/62000233413-ensure-secrets-are-not-logged-in-cloudwatch-logs", "https://awsfundamentals.com/blog/masking-sensitive-data-with-amazon-cloudwatch-logs-data-protection-policies", "https://repost.aws/questions/QUermjg18CSMqfSKo4CuTAaA/hide-sensitive-data-in-cloudwatch-logs", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html", "https://levelup.gitconnected.com/masking-sensitive-data-in-aws-cloudwatch-logs-1b3c66d0ddcb" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "C5-2025": [ "AM-01.01AC", "OPS-11.01AC", "OPS-11.02AC", "OPS-13.03B", "OPS-26.05B", "OPS-26.01AS", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "10.5" ], "MITRE-ATTACK": [ "T1552" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Logs** log groups are analyzed for potential **secrets** embedded in log events across their streams. Detection flags patterns resembling credentials (API keys, passwords, tokens, keys) and reports the secret types and where they appear within the log group.", "title": "CloudWatch log group contains no secrets in its log events", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Sensitive Data Identifications/Passwords", "Sensitive Data Identifications/Security", "Effects/Data Exposure" ], "uid": "prowler-aws-cloudwatch_log_group_no_secrets_in_logs-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-1776042944-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776042944-vpc:*", "name": "/aws/vpc/flow-logs/cfi-1776042944-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": {}, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-1776042944-vpc", "type": "Other", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776042944-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Avoid logging **secrets** via application sanitization and data minimization. Apply CloudWatch data protection policies to audit and mask sensitive patterns. Enforce *least privilege* for log readers and restrict `logs:Unmask`. Rotate exposed keys, reduce retention, and monitor findings to validate controls.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_no_secrets_in_logs" ] }, "risk_details": "Leaked **credentials in logs** erode confidentiality and enable unauthorized API calls. Attackers reusing tokens/keys can escalate privileges, alter resources, and exfiltrate data. Subscriptions and exports widen exposure, and users with `logs:Unmask` can reveal values, increasing the blast radius.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No secrets found in /aws/vpc/flow-logs/cfi-1776043129-vpc log group.", "metadata": { "event_code": "cloudwatch_log_group_no_secrets_in_logs", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "No secrets found in /aws/vpc/flow-logs/cfi-1776043129-vpc log group.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "secrets" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://support.icompaas.com/support/solutions/articles/62000233413-ensure-secrets-are-not-logged-in-cloudwatch-logs", "https://awsfundamentals.com/blog/masking-sensitive-data-with-amazon-cloudwatch-logs-data-protection-policies", "https://repost.aws/questions/QUermjg18CSMqfSKo4CuTAaA/hide-sensitive-data-in-cloudwatch-logs", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html", "https://levelup.gitconnected.com/masking-sensitive-data-in-aws-cloudwatch-logs-1b3c66d0ddcb" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "C5-2025": [ "AM-01.01AC", "OPS-11.01AC", "OPS-11.02AC", "OPS-13.03B", "OPS-26.05B", "OPS-26.01AS", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "10.5" ], "MITRE-ATTACK": [ "T1552" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Logs** log groups are analyzed for potential **secrets** embedded in log events across their streams. Detection flags patterns resembling credentials (API keys, passwords, tokens, keys) and reports the secret types and where they appear within the log group.", "title": "CloudWatch log group contains no secrets in its log events", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Sensitive Data Identifications/Passwords", "Sensitive Data Identifications/Security", "Effects/Data Exposure" ], "uid": "prowler-aws-cloudwatch_log_group_no_secrets_in_logs-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-1776043129-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043129-vpc:*", "name": "/aws/vpc/flow-logs/cfi-1776043129-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": {}, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-1776043129-vpc", "type": "Other", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043129-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Avoid logging **secrets** via application sanitization and data minimization. Apply CloudWatch data protection policies to audit and mask sensitive patterns. Enforce *least privilege* for log readers and restrict `logs:Unmask`. Rotate exposed keys, reduce retention, and monitor findings to validate controls.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_no_secrets_in_logs" ] }, "risk_details": "Leaked **credentials in logs** erode confidentiality and enable unauthorized API calls. Attackers reusing tokens/keys can escalate privileges, alter resources, and exfiltrate data. Subscriptions and exports widen exposure, and users with `logs:Unmask` can reveal values, increasing the blast radius.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No secrets found in /aws/vpc/flow-logs/cfi-1776043305-vpc log group.", "metadata": { "event_code": "cloudwatch_log_group_no_secrets_in_logs", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "No secrets found in /aws/vpc/flow-logs/cfi-1776043305-vpc log group.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "secrets" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://support.icompaas.com/support/solutions/articles/62000233413-ensure-secrets-are-not-logged-in-cloudwatch-logs", "https://awsfundamentals.com/blog/masking-sensitive-data-with-amazon-cloudwatch-logs-data-protection-policies", "https://repost.aws/questions/QUermjg18CSMqfSKo4CuTAaA/hide-sensitive-data-in-cloudwatch-logs", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html", "https://levelup.gitconnected.com/masking-sensitive-data-in-aws-cloudwatch-logs-1b3c66d0ddcb" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "C5-2025": [ "AM-01.01AC", "OPS-11.01AC", "OPS-11.02AC", "OPS-13.03B", "OPS-26.05B", "OPS-26.01AS", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "10.5" ], "MITRE-ATTACK": [ "T1552" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Logs** log groups are analyzed for potential **secrets** embedded in log events across their streams. Detection flags patterns resembling credentials (API keys, passwords, tokens, keys) and reports the secret types and where they appear within the log group.", "title": "CloudWatch log group contains no secrets in its log events", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Sensitive Data Identifications/Passwords", "Sensitive Data Identifications/Security", "Effects/Data Exposure" ], "uid": "prowler-aws-cloudwatch_log_group_no_secrets_in_logs-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-1776043305-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043305-vpc:*", "name": "/aws/vpc/flow-logs/cfi-1776043305-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": { "eni-0be862317c940d4fc-all": [ { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 35940 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204096" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 44547 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204097" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 51535 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204098" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.231.139.74 58586 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204099" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 34842 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204100" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 43583 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204101" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 43526 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204102" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 36996 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204103" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 50070 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204104" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 49313 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204105" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 37582 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204106" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 54039 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204107" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.188.122 40674 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204108" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 55171 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204109" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 48652 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204110" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 36841 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204111" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 48428 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204112" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 38064 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204113" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 51608 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204114" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 37572 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204115" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 58714 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204116" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.216.215.50 57320 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204117" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 33475 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204118" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 38054 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204119" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 38591 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204120" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 46925 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204121" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 50341 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204122" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 45449 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204123" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 57824 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204124" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 58658 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204125" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 36848 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204126" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 53127 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204127" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 43610 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204128" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 49499 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204129" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 43177 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204130" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 47559 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204131" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.191.86 59198 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204132" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.216.39.98 43818 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204133" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 100.54.85.240 52496 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204134" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.199.218 36764 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204135" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 60571 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204136" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 43824 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204137" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.191.161 49206 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204138" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 41325 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204139" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 42961 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204140" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.252.124 52020 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204141" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 37274 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204142" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 33147 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204143" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 60979 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204144" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043897000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.220.37.77 50120 443 6 5 300 1776043897 1776043913 REJECT OK", "ingestionTime": 1776043935931, "eventId": "39607102408402366600278585016565793565449617484711854080" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043930000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.220.37.77 59004 443 6 5 300 1776043930 1776043946 REJECT OK", "ingestionTime": 1776043968748, "eventId": "39607103144326958151789148726918044984659392180918484992" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043964000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 44.216.200.77 52102 443 6 4 240 1776043964 1776043972 REJECT OK", "ingestionTime": 1776043999709, "eventId": "39607103902552294901830335576561959755515298757246779392" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043979000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 44.216.200.77 52102 443 6 1 60 1776043979 1776043980 REJECT OK", "ingestionTime": 1776044030219, "eventId": "39607104237063472879789682736482161463782426772697710592" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 54278 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206080" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 44.216.202.52 57624 443 6 5 300 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206081" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 39347 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206082" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 57660 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206083" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 48495 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206084" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 44506 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206085" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044042000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 44.216.202.52 58184 443 6 5 300 1776044042 1776044058 REJECT OK", "ingestionTime": 1776044088420, "eventId": "39607105642010420387218940723592890307452753646354432000" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044075000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.217.79.194 53486 443 6 5 300 1776044075 1776044091 REJECT OK", "ingestionTime": 1776044118520, "eventId": "39607106377935011938729504430660389555653583637859008512" } ] }, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-1776043305-vpc", "type": "Other", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043305-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Avoid logging **secrets** via application sanitization and data minimization. Apply CloudWatch data protection policies to audit and mask sensitive patterns. Enforce *least privilege* for log readers and restrict `logs:Unmask`. Rotate exposed keys, reduce retention, and monitor findings to validate controls.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_no_secrets_in_logs" ] }, "risk_details": "Leaked **credentials in logs** erode confidentiality and enable unauthorized API calls. Attackers reusing tokens/keys can escalate privileges, alter resources, and exfiltrate data. Subscriptions and exports widen exposure, and users with `logs:Unmask` can reveal values, increasing the blast radius.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No secrets found in /aws/vpc/flow-logs/cfi-1776044303-vpc log group.", "metadata": { "event_code": "cloudwatch_log_group_no_secrets_in_logs", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "No secrets found in /aws/vpc/flow-logs/cfi-1776044303-vpc log group.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "secrets" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://support.icompaas.com/support/solutions/articles/62000233413-ensure-secrets-are-not-logged-in-cloudwatch-logs", "https://awsfundamentals.com/blog/masking-sensitive-data-with-amazon-cloudwatch-logs-data-protection-policies", "https://repost.aws/questions/QUermjg18CSMqfSKo4CuTAaA/hide-sensitive-data-in-cloudwatch-logs", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html", "https://levelup.gitconnected.com/masking-sensitive-data-in-aws-cloudwatch-logs-1b3c66d0ddcb" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "C5-2025": [ "AM-01.01AC", "OPS-11.01AC", "OPS-11.02AC", "OPS-13.03B", "OPS-26.05B", "OPS-26.01AS", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "10.5" ], "MITRE-ATTACK": [ "T1552" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Logs** log groups are analyzed for potential **secrets** embedded in log events across their streams. Detection flags patterns resembling credentials (API keys, passwords, tokens, keys) and reports the secret types and where they appear within the log group.", "title": "CloudWatch log group contains no secrets in its log events", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Sensitive Data Identifications/Passwords", "Sensitive Data Identifications/Security", "Effects/Data Exposure" ], "uid": "prowler-aws-cloudwatch_log_group_no_secrets_in_logs-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-1776044303-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776044303-vpc:*", "name": "/aws/vpc/flow-logs/cfi-1776044303-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": {}, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-1776044303-vpc", "type": "Other", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776044303-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Avoid logging **secrets** via application sanitization and data minimization. Apply CloudWatch data protection policies to audit and mask sensitive patterns. Enforce *least privilege* for log readers and restrict `logs:Unmask`. Rotate exposed keys, reduce retention, and monitor findings to validate controls.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_no_secrets_in_logs" ] }, "risk_details": "Leaked **credentials in logs** erode confidentiality and enable unauthorized API calls. Attackers reusing tokens/keys can escalate privileges, alter resources, and exfiltrate data. Subscriptions and exports widen exposure, and users with `logs:Unmask` can reveal values, increasing the blast radius.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No secrets found in /aws/vpc/flow-logs/cfi-20260413t013134z-vpc log group.", "metadata": { "event_code": "cloudwatch_log_group_no_secrets_in_logs", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "No secrets found in /aws/vpc/flow-logs/cfi-20260413t013134z-vpc log group.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "secrets" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://support.icompaas.com/support/solutions/articles/62000233413-ensure-secrets-are-not-logged-in-cloudwatch-logs", "https://awsfundamentals.com/blog/masking-sensitive-data-with-amazon-cloudwatch-logs-data-protection-policies", "https://repost.aws/questions/QUermjg18CSMqfSKo4CuTAaA/hide-sensitive-data-in-cloudwatch-logs", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html", "https://levelup.gitconnected.com/masking-sensitive-data-in-aws-cloudwatch-logs-1b3c66d0ddcb" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "C5-2025": [ "AM-01.01AC", "OPS-11.01AC", "OPS-11.02AC", "OPS-13.03B", "OPS-26.05B", "OPS-26.01AS", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "10.5" ], "MITRE-ATTACK": [ "T1552" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Logs** log groups are analyzed for potential **secrets** embedded in log events across their streams. Detection flags patterns resembling credentials (API keys, passwords, tokens, keys) and reports the secret types and where they appear within the log group.", "title": "CloudWatch log group contains no secrets in its log events", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Sensitive Data Identifications/Passwords", "Sensitive Data Identifications/Security", "Effects/Data Exposure" ], "uid": "prowler-aws-cloudwatch_log_group_no_secrets_in_logs-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-20260413t013134z-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-20260413t013134z-vpc:*", "name": "/aws/vpc/flow-logs/cfi-20260413t013134z-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": {}, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-20260413t013134z-vpc", "type": "Other", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-20260413t013134z-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Avoid logging **secrets** via application sanitization and data minimization. Apply CloudWatch data protection policies to audit and mask sensitive patterns. Enforce *least privilege* for log readers and restrict `logs:Unmask`. Rotate exposed keys, reduce retention, and monitor findings to validate controls.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_no_secrets_in_logs" ] }, "risk_details": "Leaked **credentials in logs** erode confidentiality and enable unauthorized API calls. Attackers reusing tokens/keys can escalate privileges, alter resources, and exfiltrate data. Subscriptions and exports widen exposure, and users with `logs:Unmask` can reveal values, increasing the blast radius.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Log Group /aws/vpc/flow-logs/cfi-1776042944-vpc is not publicly accessible.", "metadata": { "event_code": "cloudwatch_log_group_not_publicly_accessible", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Log Group /aws/vpc/flow-logs/cfi-1776042944-vpc is not publicly accessible.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed", "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR01", "CCC.AuditLog.CN09.AR01", "CCC.Logging.CN04.AR01", "CCC.Monitor.CN04.AR01" ], "CSA-CCM-4.0": [ "LOG-02", "LOG-04", "LOG-09" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.1", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.1", "2.10.2" ], "SOC2": [ "pi_1_4" ], "C5-2025": [ "AM-01.01AC", "PS-03.02B", "OPS-11.02AC", "OPS-26.05B", "OPS-26.01AS", "IAM-10.01B", "COS-02.01B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.7" ], "NIST-CSF-2.0": [ "ds_5" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Log Groups** with resource policies that grant access to any principal are identified. Statements using `Principal:\"*\"` or wildcard `Resource` that reference a log group ARN indicate that the log group is exposed through a public policy.", "title": "CloudWatch Log Group is not publicly accessible", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-cloudwatch_log_group_not_publicly_accessible-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-1776042944-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776042944-vpc:*", "name": "/aws/vpc/flow-logs/cfi-1776042944-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": {}, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-1776042944-vpc", "type": "Other", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776042944-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Remove public access from log group resource policies. Replace `Principal:\"*\"` and `Resource:\"*\"` with narrowly scoped principals and specific ARNs. Grant only necessary actions, apply conditions to constrain use, and enforce **least privilege** and **separation of duties** with regular policy reviews.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_not_publicly_accessible" ] }, "risk_details": "Public access to log groups enables unauthorized reading of logs, revealing secrets and operational metadata, harming **confidentiality**. If broad actions are allowed, attackers can modify subscriptions or logs, undermining **integrity** and disrupting **availability** of audit evidence.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Log Group /aws/vpc/flow-logs/cfi-1776043129-vpc is not publicly accessible.", "metadata": { "event_code": "cloudwatch_log_group_not_publicly_accessible", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Log Group /aws/vpc/flow-logs/cfi-1776043129-vpc is not publicly accessible.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed", "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR01", "CCC.AuditLog.CN09.AR01", "CCC.Logging.CN04.AR01", "CCC.Monitor.CN04.AR01" ], "CSA-CCM-4.0": [ "LOG-02", "LOG-04", "LOG-09" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.1", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.1", "2.10.2" ], "SOC2": [ "pi_1_4" ], "C5-2025": [ "AM-01.01AC", "PS-03.02B", "OPS-11.02AC", "OPS-26.05B", "OPS-26.01AS", "IAM-10.01B", "COS-02.01B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.7" ], "NIST-CSF-2.0": [ "ds_5" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Log Groups** with resource policies that grant access to any principal are identified. Statements using `Principal:\"*\"` or wildcard `Resource` that reference a log group ARN indicate that the log group is exposed through a public policy.", "title": "CloudWatch Log Group is not publicly accessible", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-cloudwatch_log_group_not_publicly_accessible-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-1776043129-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043129-vpc:*", "name": "/aws/vpc/flow-logs/cfi-1776043129-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": {}, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-1776043129-vpc", "type": "Other", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043129-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Remove public access from log group resource policies. Replace `Principal:\"*\"` and `Resource:\"*\"` with narrowly scoped principals and specific ARNs. Grant only necessary actions, apply conditions to constrain use, and enforce **least privilege** and **separation of duties** with regular policy reviews.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_not_publicly_accessible" ] }, "risk_details": "Public access to log groups enables unauthorized reading of logs, revealing secrets and operational metadata, harming **confidentiality**. If broad actions are allowed, attackers can modify subscriptions or logs, undermining **integrity** and disrupting **availability** of audit evidence.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Log Group /aws/vpc/flow-logs/cfi-1776043305-vpc is not publicly accessible.", "metadata": { "event_code": "cloudwatch_log_group_not_publicly_accessible", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Log Group /aws/vpc/flow-logs/cfi-1776043305-vpc is not publicly accessible.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed", "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR01", "CCC.AuditLog.CN09.AR01", "CCC.Logging.CN04.AR01", "CCC.Monitor.CN04.AR01" ], "CSA-CCM-4.0": [ "LOG-02", "LOG-04", "LOG-09" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.1", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.1", "2.10.2" ], "SOC2": [ "pi_1_4" ], "C5-2025": [ "AM-01.01AC", "PS-03.02B", "OPS-11.02AC", "OPS-26.05B", "OPS-26.01AS", "IAM-10.01B", "COS-02.01B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.7" ], "NIST-CSF-2.0": [ "ds_5" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Log Groups** with resource policies that grant access to any principal are identified. Statements using `Principal:\"*\"` or wildcard `Resource` that reference a log group ARN indicate that the log group is exposed through a public policy.", "title": "CloudWatch Log Group is not publicly accessible", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-cloudwatch_log_group_not_publicly_accessible-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-1776043305-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043305-vpc:*", "name": "/aws/vpc/flow-logs/cfi-1776043305-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": { "eni-0be862317c940d4fc-all": [ { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 35940 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204096" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 44547 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204097" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 51535 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204098" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.231.139.74 58586 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204099" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 34842 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204100" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 43583 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204101" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 43526 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204102" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 36996 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204103" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 50070 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204104" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 49313 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204105" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 37582 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204106" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 54039 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204107" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.188.122 40674 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204108" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 55171 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204109" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 48652 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204110" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 36841 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204111" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 48428 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204112" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 38064 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204113" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 51608 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204114" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 37572 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204115" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 58714 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204116" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.216.215.50 57320 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204117" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 33475 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204118" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 38054 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204119" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 38591 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204120" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 46925 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204121" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 50341 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204122" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 45449 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204123" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 57824 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204124" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 58658 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204125" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 36848 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204126" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 53127 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204127" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 43610 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204128" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 49499 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204129" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 43177 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204130" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 47559 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204131" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.191.86 59198 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204132" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.216.39.98 43818 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204133" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 100.54.85.240 52496 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204134" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.199.218 36764 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204135" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 60571 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204136" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 43824 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204137" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.191.161 49206 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204138" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 41325 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204139" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 42961 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204140" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.252.124 52020 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204141" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 37274 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204142" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 33147 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204143" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 60979 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204144" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043897000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.220.37.77 50120 443 6 5 300 1776043897 1776043913 REJECT OK", "ingestionTime": 1776043935931, "eventId": "39607102408402366600278585016565793565449617484711854080" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043930000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.220.37.77 59004 443 6 5 300 1776043930 1776043946 REJECT OK", "ingestionTime": 1776043968748, "eventId": "39607103144326958151789148726918044984659392180918484992" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043964000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 44.216.200.77 52102 443 6 4 240 1776043964 1776043972 REJECT OK", "ingestionTime": 1776043999709, "eventId": "39607103902552294901830335576561959755515298757246779392" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043979000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 44.216.200.77 52102 443 6 1 60 1776043979 1776043980 REJECT OK", "ingestionTime": 1776044030219, "eventId": "39607104237063472879789682736482161463782426772697710592" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 54278 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206080" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 44.216.202.52 57624 443 6 5 300 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206081" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 39347 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206082" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 57660 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206083" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 48495 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206084" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 44506 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206085" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044042000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 44.216.202.52 58184 443 6 5 300 1776044042 1776044058 REJECT OK", "ingestionTime": 1776044088420, "eventId": "39607105642010420387218940723592890307452753646354432000" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044075000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.217.79.194 53486 443 6 5 300 1776044075 1776044091 REJECT OK", "ingestionTime": 1776044118520, "eventId": "39607106377935011938729504430660389555653583637859008512" } ] }, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-1776043305-vpc", "type": "Other", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043305-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Remove public access from log group resource policies. Replace `Principal:\"*\"` and `Resource:\"*\"` with narrowly scoped principals and specific ARNs. Grant only necessary actions, apply conditions to constrain use, and enforce **least privilege** and **separation of duties** with regular policy reviews.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_not_publicly_accessible" ] }, "risk_details": "Public access to log groups enables unauthorized reading of logs, revealing secrets and operational metadata, harming **confidentiality**. If broad actions are allowed, attackers can modify subscriptions or logs, undermining **integrity** and disrupting **availability** of audit evidence.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Log Group /aws/vpc/flow-logs/cfi-1776044303-vpc is not publicly accessible.", "metadata": { "event_code": "cloudwatch_log_group_not_publicly_accessible", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Log Group /aws/vpc/flow-logs/cfi-1776044303-vpc is not publicly accessible.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed", "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR01", "CCC.AuditLog.CN09.AR01", "CCC.Logging.CN04.AR01", "CCC.Monitor.CN04.AR01" ], "CSA-CCM-4.0": [ "LOG-02", "LOG-04", "LOG-09" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.1", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.1", "2.10.2" ], "SOC2": [ "pi_1_4" ], "C5-2025": [ "AM-01.01AC", "PS-03.02B", "OPS-11.02AC", "OPS-26.05B", "OPS-26.01AS", "IAM-10.01B", "COS-02.01B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.7" ], "NIST-CSF-2.0": [ "ds_5" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Log Groups** with resource policies that grant access to any principal are identified. Statements using `Principal:\"*\"` or wildcard `Resource` that reference a log group ARN indicate that the log group is exposed through a public policy.", "title": "CloudWatch Log Group is not publicly accessible", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-cloudwatch_log_group_not_publicly_accessible-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-1776044303-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776044303-vpc:*", "name": "/aws/vpc/flow-logs/cfi-1776044303-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": {}, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-1776044303-vpc", "type": "Other", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776044303-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Remove public access from log group resource policies. Replace `Principal:\"*\"` and `Resource:\"*\"` with narrowly scoped principals and specific ARNs. Grant only necessary actions, apply conditions to constrain use, and enforce **least privilege** and **separation of duties** with regular policy reviews.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_not_publicly_accessible" ] }, "risk_details": "Public access to log groups enables unauthorized reading of logs, revealing secrets and operational metadata, harming **confidentiality**. If broad actions are allowed, attackers can modify subscriptions or logs, undermining **integrity** and disrupting **availability** of audit evidence.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Log Group /aws/vpc/flow-logs/cfi-20260413t013134z-vpc is not publicly accessible.", "metadata": { "event_code": "cloudwatch_log_group_not_publicly_accessible", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Log Group /aws/vpc/flow-logs/cfi-20260413t013134z-vpc is not publicly accessible.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed", "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.c" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR01", "CCC.AuditLog.CN09.AR01", "CCC.Logging.CN04.AR01", "CCC.Monitor.CN04.AR01" ], "CSA-CCM-4.0": [ "LOG-02", "LOG-04", "LOG-09" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.1", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.1", "2.10.2" ], "SOC2": [ "pi_1_4" ], "C5-2025": [ "AM-01.01AC", "PS-03.02B", "OPS-11.02AC", "OPS-26.05B", "OPS-26.01AS", "IAM-10.01B", "COS-02.01B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.7" ], "NIST-CSF-2.0": [ "ds_5" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Log Groups** with resource policies that grant access to any principal are identified. Statements using `Principal:\"*\"` or wildcard `Resource` that reference a log group ARN indicate that the log group is exposed through a public policy.", "title": "CloudWatch Log Group is not publicly accessible", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-cloudwatch_log_group_not_publicly_accessible-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-20260413t013134z-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-20260413t013134z-vpc:*", "name": "/aws/vpc/flow-logs/cfi-20260413t013134z-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": {}, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-20260413t013134z-vpc", "type": "Other", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-20260413t013134z-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Remove public access from log group resource policies. Replace `Principal:\"*\"` and `Resource:\"*\"` with narrowly scoped principals and specific ARNs. Grant only necessary actions, apply conditions to constrain use, and enforce **least privilege** and **separation of duties** with regular policy reviews.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_not_publicly_accessible" ] }, "risk_details": "Public access to log groups enables unauthorized reading of logs, revealing secrets and operational metadata, harming **confidentiality**. If broad actions are allowed, attackers can modify subscriptions or logs, undermining **integrity** and disrupting **availability** of audit evidence.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Log Group /aws/vpc/flow-logs/cfi-1776042944-vpc has less than 365 days retention period (7 days).", "metadata": { "event_code": "cloudwatch_log_group_retention_policy_specific_days_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Log Group /aws/vpc/flow-logs/cfi-1776042944-vpc has less than 365 days retention period (7 days).", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/cloudwatch-logs-retention-period.html", "https://boto3.amazonaws.com/v1/documentation/api/1.26.93/reference/services/logs/client/put_retention_policy.html", "https://medium.com/pareture/aws-cloudwatch-log-group-retention-periods-bb8a2fb9c358", "https://www.blinkops.com/blog/cloudwatch-retention", "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Logs.html" ], "notes": "", "compliance": { "NIS2": [ "1.1.1.h", "3.2.3.c", "3.2.5", "4.2.2.f" ], "HIPAA": [ "164_312_b" ], "FedRAMP-Low-Revision-4": [ "au-11" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_16_b", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_10", "au_11", "au_11_1", "au_12_1", "au_12_2", "au_12_3", "au_14_a", "au_14_b", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_21_b", "pm_31", "sc_28_2", "si_4_17", "si_12" ], "CCC-v2025.10": [ "CCC.Logging.CN02.AR01", "CCC.Logging.CN02.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "10.1", "10.7", "10.7.b", "10.7.c" ], "CSA-CCM-4.0": [ "DSP-16" ], "PCI-4.0": [ "10.5.1.4", "3.2.1.3", "3.3.1.1.3", "3.3.1.3.3", "3.3.2.3", "3.3.3.3", "5.3.4.11" ], "FFIEC": [ "d2-ma-ma-b-1" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.2.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP06" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_7_2", "cc_7_3", "cc_c_1_2" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-14.01B", "OPS-14.02B", "OPS-26.05B", "OPS-26.01AS", "PI-03.02B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.6" ], "NIST-800-53-Revision-4": [ "au_11", "si_12" ], "FedRamp-Moderate-Revision-4": [ "au-6-1-3", "au-11", "si-12" ], "GxP-21-CFR-Part-11": [ "11.10-c", "11.10-e" ], "NIST-800-171-Revision-2": [ "3_3_1", "3_6_1", "3_6_2" ], "ENS-RD2022": [ "op.exp.8.r3.aws.cw.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Log Groups** are assessed for a retention period at or above the configured threshold (e.g., `365` days) or for being set to **never expire**. Log groups with shorter retention are identified.", "title": "CloudWatch log group has a retention policy of at least the configured minimum days or never expires", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)", "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS", "Software and Configuration Checks/Industry and Regulatory Standards/SOC 2" ], "uid": "prowler-aws-cloudwatch_log_group_retention_policy_specific_days_enabled-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-1776042944-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776042944-vpc:*", "name": "/aws/vpc/flow-logs/cfi-1776042944-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": {}, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-1776042944-vpc", "type": "AwsLogsLogGroup", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776042944-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Define a minimum retention baseline (e.g., `>=365` days) aligned to legal and investigative needs. Apply it consistently with documented exceptions. Automate enforcement, monitor changes, and restrict who can modify retention under **least privilege** and **defense in depth**.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_retention_policy_specific_days_enabled" ] }, "risk_details": "Short log retention erodes audit evidence. Adversaries can wait out the window, creating gaps in detection, forensics, and compliance reporting. This degrades the **availability** of historical logs and the **integrity** of incident timelines.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Log Group /aws/vpc/flow-logs/cfi-1776043129-vpc has less than 365 days retention period (7 days).", "metadata": { "event_code": "cloudwatch_log_group_retention_policy_specific_days_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Log Group /aws/vpc/flow-logs/cfi-1776043129-vpc has less than 365 days retention period (7 days).", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/cloudwatch-logs-retention-period.html", "https://boto3.amazonaws.com/v1/documentation/api/1.26.93/reference/services/logs/client/put_retention_policy.html", "https://medium.com/pareture/aws-cloudwatch-log-group-retention-periods-bb8a2fb9c358", "https://www.blinkops.com/blog/cloudwatch-retention", "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Logs.html" ], "notes": "", "compliance": { "NIS2": [ "1.1.1.h", "3.2.3.c", "3.2.5", "4.2.2.f" ], "HIPAA": [ "164_312_b" ], "FedRAMP-Low-Revision-4": [ "au-11" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_16_b", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_10", "au_11", "au_11_1", "au_12_1", "au_12_2", "au_12_3", "au_14_a", "au_14_b", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_21_b", "pm_31", "sc_28_2", "si_4_17", "si_12" ], "CCC-v2025.10": [ "CCC.Logging.CN02.AR01", "CCC.Logging.CN02.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "10.1", "10.7", "10.7.b", "10.7.c" ], "CSA-CCM-4.0": [ "DSP-16" ], "PCI-4.0": [ "10.5.1.4", "3.2.1.3", "3.3.1.1.3", "3.3.1.3.3", "3.3.2.3", "3.3.3.3", "5.3.4.11" ], "FFIEC": [ "d2-ma-ma-b-1" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.2.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP06" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_7_2", "cc_7_3", "cc_c_1_2" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-14.01B", "OPS-14.02B", "OPS-26.05B", "OPS-26.01AS", "PI-03.02B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.6" ], "NIST-800-53-Revision-4": [ "au_11", "si_12" ], "FedRamp-Moderate-Revision-4": [ "au-6-1-3", "au-11", "si-12" ], "GxP-21-CFR-Part-11": [ "11.10-c", "11.10-e" ], "NIST-800-171-Revision-2": [ "3_3_1", "3_6_1", "3_6_2" ], "ENS-RD2022": [ "op.exp.8.r3.aws.cw.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Log Groups** are assessed for a retention period at or above the configured threshold (e.g., `365` days) or for being set to **never expire**. Log groups with shorter retention are identified.", "title": "CloudWatch log group has a retention policy of at least the configured minimum days or never expires", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)", "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS", "Software and Configuration Checks/Industry and Regulatory Standards/SOC 2" ], "uid": "prowler-aws-cloudwatch_log_group_retention_policy_specific_days_enabled-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-1776043129-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043129-vpc:*", "name": "/aws/vpc/flow-logs/cfi-1776043129-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": {}, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-1776043129-vpc", "type": "AwsLogsLogGroup", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043129-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Define a minimum retention baseline (e.g., `>=365` days) aligned to legal and investigative needs. Apply it consistently with documented exceptions. Automate enforcement, monitor changes, and restrict who can modify retention under **least privilege** and **defense in depth**.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_retention_policy_specific_days_enabled" ] }, "risk_details": "Short log retention erodes audit evidence. Adversaries can wait out the window, creating gaps in detection, forensics, and compliance reporting. This degrades the **availability** of historical logs and the **integrity** of incident timelines.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Log Group /aws/vpc/flow-logs/cfi-1776043305-vpc has less than 365 days retention period (7 days).", "metadata": { "event_code": "cloudwatch_log_group_retention_policy_specific_days_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Log Group /aws/vpc/flow-logs/cfi-1776043305-vpc has less than 365 days retention period (7 days).", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/cloudwatch-logs-retention-period.html", "https://boto3.amazonaws.com/v1/documentation/api/1.26.93/reference/services/logs/client/put_retention_policy.html", "https://medium.com/pareture/aws-cloudwatch-log-group-retention-periods-bb8a2fb9c358", "https://www.blinkops.com/blog/cloudwatch-retention", "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Logs.html" ], "notes": "", "compliance": { "NIS2": [ "1.1.1.h", "3.2.3.c", "3.2.5", "4.2.2.f" ], "HIPAA": [ "164_312_b" ], "FedRAMP-Low-Revision-4": [ "au-11" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_16_b", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_10", "au_11", "au_11_1", "au_12_1", "au_12_2", "au_12_3", "au_14_a", "au_14_b", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_21_b", "pm_31", "sc_28_2", "si_4_17", "si_12" ], "CCC-v2025.10": [ "CCC.Logging.CN02.AR01", "CCC.Logging.CN02.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "10.1", "10.7", "10.7.b", "10.7.c" ], "CSA-CCM-4.0": [ "DSP-16" ], "PCI-4.0": [ "10.5.1.4", "3.2.1.3", "3.3.1.1.3", "3.3.1.3.3", "3.3.2.3", "3.3.3.3", "5.3.4.11" ], "FFIEC": [ "d2-ma-ma-b-1" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.2.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP06" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_7_2", "cc_7_3", "cc_c_1_2" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-14.01B", "OPS-14.02B", "OPS-26.05B", "OPS-26.01AS", "PI-03.02B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.6" ], "NIST-800-53-Revision-4": [ "au_11", "si_12" ], "FedRamp-Moderate-Revision-4": [ "au-6-1-3", "au-11", "si-12" ], "GxP-21-CFR-Part-11": [ "11.10-c", "11.10-e" ], "NIST-800-171-Revision-2": [ "3_3_1", "3_6_1", "3_6_2" ], "ENS-RD2022": [ "op.exp.8.r3.aws.cw.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Log Groups** are assessed for a retention period at or above the configured threshold (e.g., `365` days) or for being set to **never expire**. Log groups with shorter retention are identified.", "title": "CloudWatch log group has a retention policy of at least the configured minimum days or never expires", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)", "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS", "Software and Configuration Checks/Industry and Regulatory Standards/SOC 2" ], "uid": "prowler-aws-cloudwatch_log_group_retention_policy_specific_days_enabled-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-1776043305-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043305-vpc:*", "name": "/aws/vpc/flow-logs/cfi-1776043305-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": { "eni-0be862317c940d4fc-all": [ { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 35940 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204096" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 44547 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204097" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 51535 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204098" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.231.139.74 58586 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204099" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 34842 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204100" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 43583 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204101" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 43526 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204102" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 36996 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204103" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 50070 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204104" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 49313 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204105" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 37582 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204106" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 54039 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204107" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.188.122 40674 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204108" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 55171 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204109" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 48652 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204110" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 36841 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204111" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 48428 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204112" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 38064 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204113" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 51608 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204114" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 37572 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204115" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 58714 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204116" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.216.215.50 57320 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204117" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 33475 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204118" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 38054 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204119" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 38591 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204120" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 46925 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204121" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 50341 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204122" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 45449 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204123" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 57824 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204124" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 58658 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204125" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 36848 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204126" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 53127 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204127" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 43610 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204128" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 49499 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204129" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 43177 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204130" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 47559 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204131" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.191.86 59198 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204132" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.216.39.98 43818 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204133" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 100.54.85.240 52496 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204134" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.199.218 36764 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204135" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 60571 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204136" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 43824 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204137" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.191.161 49206 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204138" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 41325 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204139" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 42961 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204140" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 16.15.252.124 52020 443 6 5 300 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204141" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 37274 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204142" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 33147 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204143" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043865000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 60979 123 17 1 76 1776043865 1776043887 REJECT OK", "ingestionTime": 1776043927886, "eventId": "39607101694778520247298644477696821346828429194483204144" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043897000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.220.37.77 50120 443 6 5 300 1776043897 1776043913 REJECT OK", "ingestionTime": 1776043935931, "eventId": "39607102408402366600278585016565793565449617484711854080" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043930000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.220.37.77 59004 443 6 5 300 1776043930 1776043946 REJECT OK", "ingestionTime": 1776043968748, "eventId": "39607103144326958151789148726918044984659392180918484992" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043964000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 44.216.200.77 52102 443 6 4 240 1776043964 1776043972 REJECT OK", "ingestionTime": 1776043999709, "eventId": "39607103902552294901830335576561959755515298757246779392" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776043979000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 44.216.200.77 52102 443 6 1 60 1776043979 1776043980 REJECT OK", "ingestionTime": 1776044030219, "eventId": "39607104237063472879789682736482161463782426772697710592" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.218.199.213 54278 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206080" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 44.216.202.52 57624 443 6 5 300 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206081" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 54.81.127.33 39347 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206082" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.94.91.31 57660 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206083" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 52.207.222.50 48495 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206084" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044009000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 3.86.4.106 44506 123 17 1 76 1776044009 1776044027 REJECT OK", "ingestionTime": 1776044057557, "eventId": "39607104906085828835708377015602780030975212784396206085" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044042000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 44.216.202.52 58184 443 6 5 300 1776044042 1776044058 REJECT OK", "ingestionTime": 1776044088420, "eventId": "39607105642010420387218940723592890307452753646354432000" }, { "logStreamName": "eni-0be862317c940d4fc-all", "timestamp": 1776044075000, "message": "2 211203495394 eni-0be862317c940d4fc 10.20.1.141 13.217.79.194 53486 443 6 5 300 1776044075 1776044091 REJECT OK", "ingestionTime": 1776044118520, "eventId": "39607106377935011938729504430660389555653583637859008512" } ] }, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-1776043305-vpc", "type": "AwsLogsLogGroup", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043305-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Define a minimum retention baseline (e.g., `>=365` days) aligned to legal and investigative needs. Apply it consistently with documented exceptions. Automate enforcement, monitor changes, and restrict who can modify retention under **least privilege** and **defense in depth**.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_retention_policy_specific_days_enabled" ] }, "risk_details": "Short log retention erodes audit evidence. Adversaries can wait out the window, creating gaps in detection, forensics, and compliance reporting. This degrades the **availability** of historical logs and the **integrity** of incident timelines.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Log Group /aws/vpc/flow-logs/cfi-1776044303-vpc has less than 365 days retention period (7 days).", "metadata": { "event_code": "cloudwatch_log_group_retention_policy_specific_days_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Log Group /aws/vpc/flow-logs/cfi-1776044303-vpc has less than 365 days retention period (7 days).", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/cloudwatch-logs-retention-period.html", "https://boto3.amazonaws.com/v1/documentation/api/1.26.93/reference/services/logs/client/put_retention_policy.html", "https://medium.com/pareture/aws-cloudwatch-log-group-retention-periods-bb8a2fb9c358", "https://www.blinkops.com/blog/cloudwatch-retention", "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Logs.html" ], "notes": "", "compliance": { "NIS2": [ "1.1.1.h", "3.2.3.c", "3.2.5", "4.2.2.f" ], "HIPAA": [ "164_312_b" ], "FedRAMP-Low-Revision-4": [ "au-11" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_16_b", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_10", "au_11", "au_11_1", "au_12_1", "au_12_2", "au_12_3", "au_14_a", "au_14_b", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_21_b", "pm_31", "sc_28_2", "si_4_17", "si_12" ], "CCC-v2025.10": [ "CCC.Logging.CN02.AR01", "CCC.Logging.CN02.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "10.1", "10.7", "10.7.b", "10.7.c" ], "CSA-CCM-4.0": [ "DSP-16" ], "PCI-4.0": [ "10.5.1.4", "3.2.1.3", "3.3.1.1.3", "3.3.1.3.3", "3.3.2.3", "3.3.3.3", "5.3.4.11" ], "FFIEC": [ "d2-ma-ma-b-1" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.2.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP06" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_7_2", "cc_7_3", "cc_c_1_2" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-14.01B", "OPS-14.02B", "OPS-26.05B", "OPS-26.01AS", "PI-03.02B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.6" ], "NIST-800-53-Revision-4": [ "au_11", "si_12" ], "FedRamp-Moderate-Revision-4": [ "au-6-1-3", "au-11", "si-12" ], "GxP-21-CFR-Part-11": [ "11.10-c", "11.10-e" ], "NIST-800-171-Revision-2": [ "3_3_1", "3_6_1", "3_6_2" ], "ENS-RD2022": [ "op.exp.8.r3.aws.cw.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Log Groups** are assessed for a retention period at or above the configured threshold (e.g., `365` days) or for being set to **never expire**. Log groups with shorter retention are identified.", "title": "CloudWatch log group has a retention policy of at least the configured minimum days or never expires", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)", "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS", "Software and Configuration Checks/Industry and Regulatory Standards/SOC 2" ], "uid": "prowler-aws-cloudwatch_log_group_retention_policy_specific_days_enabled-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-1776044303-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776044303-vpc:*", "name": "/aws/vpc/flow-logs/cfi-1776044303-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": {}, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-1776044303-vpc", "type": "AwsLogsLogGroup", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776044303-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Define a minimum retention baseline (e.g., `>=365` days) aligned to legal and investigative needs. Apply it consistently with documented exceptions. Automate enforcement, monitor changes, and restrict who can modify retention under **least privilege** and **defense in depth**.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_retention_policy_specific_days_enabled" ] }, "risk_details": "Short log retention erodes audit evidence. Adversaries can wait out the window, creating gaps in detection, forensics, and compliance reporting. This degrades the **availability** of historical logs and the **integrity** of incident timelines.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Log Group /aws/vpc/flow-logs/cfi-20260413t013134z-vpc has less than 365 days retention period (7 days).", "metadata": { "event_code": "cloudwatch_log_group_retention_policy_specific_days_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Log Group /aws/vpc/flow-logs/cfi-20260413t013134z-vpc has less than 365 days retention period (7 days).", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/cloudwatch-logs-retention-period.html", "https://boto3.amazonaws.com/v1/documentation/api/1.26.93/reference/services/logs/client/put_retention_policy.html", "https://medium.com/pareture/aws-cloudwatch-log-group-retention-periods-bb8a2fb9c358", "https://www.blinkops.com/blog/cloudwatch-retention", "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Logs.html" ], "notes": "", "compliance": { "NIS2": [ "1.1.1.h", "3.2.3.c", "3.2.5", "4.2.2.f" ], "HIPAA": [ "164_312_b" ], "FedRAMP-Low-Revision-4": [ "au-11" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-mla", "ksi-mla-07" ], "NIST-800-53-Revision-5": [ "ac_16_b", "au_6_3", "au_6_4", "au_6_6", "au_6_9", "au_10", "au_11", "au_11_1", "au_12_1", "au_12_2", "au_12_3", "au_14_a", "au_14_b", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_21_b", "pm_31", "sc_28_2", "si_4_17", "si_12" ], "CCC-v2025.10": [ "CCC.Logging.CN02.AR01", "CCC.Logging.CN02.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "PCI-3.2.1": [ "10.1", "10.7", "10.7.b", "10.7.c" ], "CSA-CCM-4.0": [ "DSP-16" ], "PCI-4.0": [ "10.5.1.4", "3.2.1.3", "3.3.1.1.3", "3.3.1.3.3", "3.3.2.3", "3.3.3.3", "5.3.4.11" ], "FFIEC": [ "d2-ma-ma-b-1" ], "KISA-ISMS-P-2023-korean": [ "2.9.4", "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.2.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP06" ], "KISA-ISMS-P-2023": [ "2.9.4", "2.10.1", "2.10.2" ], "SOC2": [ "cc_7_2", "cc_7_3", "cc_c_1_2" ], "C5-2025": [ "AM-01.01AC", "OPS-11.02AC", "OPS-14.01B", "OPS-14.02B", "OPS-26.05B", "OPS-26.01AS", "PI-03.02B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.6" ], "NIST-800-53-Revision-4": [ "au_11", "si_12" ], "FedRamp-Moderate-Revision-4": [ "au-6-1-3", "au-11", "si-12" ], "GxP-21-CFR-Part-11": [ "11.10-c", "11.10-e" ], "NIST-800-171-Revision-2": [ "3_3_1", "3_6_1", "3_6_2" ], "ENS-RD2022": [ "op.exp.8.r3.aws.cw.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Log Groups** are assessed for a retention period at or above the configured threshold (e.g., `365` days) or for being set to **never expire**. Log groups with shorter retention are identified.", "title": "CloudWatch log group has a retention policy of at least the configured minimum days or never expires", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)", "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS", "Software and Configuration Checks/Industry and Regulatory Standards/SOC 2" ], "uid": "prowler-aws-cloudwatch_log_group_retention_policy_specific_days_enabled-211203495394-us-east-1-/aws/vpc/flow-logs/cfi-20260413t013134z-vpc" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-20260413t013134z-vpc:*", "name": "/aws/vpc/flow-logs/cfi-20260413t013134z-vpc", "retention_days": 7, "never_expire": false, "kms_id": null, "region": "us-east-1", "log_streams": {}, "tags": [] } }, "group": { "name": "cloudwatch" }, "labels": [], "name": "/aws/vpc/flow-logs/cfi-20260413t013134z-vpc", "type": "AwsLogsLogGroup", "uid": "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-20260413t013134z-vpc:*" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Define a minimum retention baseline (e.g., `>=365` days) aligned to legal and investigative needs. Apply it consistently with documented exceptions. Automate enforcement, monitor changes, and restrict who can modify retention under **least privilege** and **defense in depth**.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_group_retention_policy_specific_days_enabled" ] }, "risk_details": "Short log retention erodes audit evidence. Adversaries can wait out the window, creating gaps in detection, forensics, and compliance reporting. This degrades the **availability** of historical logs and the **integrity** of incident timelines.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudWatch log groups found with metric filters or alarms associated.", "metadata": { "event_code": "cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "No CloudWatch log groups found with metric filters or alarms associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html" ], "notes": "Logging and Monitoring", "compliance": { "NIS2": [ "2.2.3", "3.2.3.c", "3.2.3.f", "3.2.3.g", "3.5.4", "7.2.b" ], "CIS-6.0": [ "5.9" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "CIS-2.0": [ "4.9" ], "CSA-CCM-4.0": [ "CCC-07" ], "GDPR": [ "article_25" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.10" ], "CIS-4.0.1": [ "4.9" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.9" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.3" ], "SOC2": [ "cc_5_2" ], "C5-2025": [ "OIS-04.03B", "OIS-04.01AC", "OIS-04.02AC", "HR-03.02AC", "AM-01.01AC", "AM-09.03AC", "OPS-11.02AC", "OPS-13.03AC", "OPS-26.05B", "OPS-26.01AS", "OPS-26.06B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.9" ], "CIS-1.4": [ "4.9" ], "NIST-CSF-1.1": [ "cm_2", "ra_5", "sc_4" ], "CIS-5.0": [ "4.9" ], "CIS-1.5": [ "4.9" ], "NIST-CSF-2.0": [ "ov_3", "ra_5", "ip_8", "pt_1", "ae_1", "ae_2", "ae_3", "cm_1", "cm_7", "dp_4" ], "MITRE-ATTACK": [ "T1496" ], "ISO27001-2013": [ "A.12.4.F" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "CloudTrail logs in **CloudWatch Logs** are inspected for a metric filter and alarm that track **AWS Config configuration changes**, specifically `StopConfigurationRecorder`, `DeleteDeliveryChannel`, `PutDeliveryChannel`, and `PutConfigurationRecorder` events from `config.amazonaws.com`.", "title": "CloudWatch Logs metric filter and alarm exist for AWS Config configuration changes", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "TTPs/Defense Evasion" ], "uid": "prowler-aws-cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudwatch" }, "labels": [], "name": "211203495394", "type": "AwsCloudWatchAlarm", "uid": "arn:aws:logs:us-east-1:211203495394:log-group" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Create a **CloudWatch Logs metric filter and alarm** for `config.amazonaws.com` events (`StopConfigurationRecorder`, `DeleteDeliveryChannel`, `PutDeliveryChannel`, `PutConfigurationRecorder`). Route CloudTrail to Logs, notify responders, and enforce **least privilege** and **separation of duties** on Config changes to prevent abuse.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled" ] }, "risk_details": "Without alerting on **AWS Config changes**, actions like `StopConfigurationRecorder` or `DeleteDeliveryChannel` can silently suspend recording and delivery.\n\nThis degrades the **integrity** and **availability** of configuration audit data, enabling undetected changes and delaying incident response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudWatch log groups found with metric filters or alarms associated.", "metadata": { "event_code": "cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "No CloudWatch log groups found with metric filters or alarms associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html" ], "notes": "Logging and Monitoring", "compliance": { "NIS2": [ "2.2.3", "3.2.3.c", "3.2.3.f", "3.2.3.g", "3.2.4", "3.5.4", "7.2.b" ], "CIS-6.0": [ "5.5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt" ], "CCC-v2025.10": [ "CCC.Core.CN09.AR02", "CCC.Core.CN09.AR03", "CCC.Core.CN04.AR01", "CCC.AuditLog.CN03.AR01", "CCC.Logging.CN07.AR01", "CCC.LB.CN04.AR01" ], "CIS-2.0": [ "4.5" ], "CSA-CCM-4.0": [ "CCC-07" ], "GDPR": [ "article_25" ], "CISA": [ "your-data-2" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.6" ], "CIS-4.0.1": [ "4.5" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.5" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.3" ], "SOC2": [ "cc_5_2" ], "C5-2025": [ "OIS-04.03B", "OIS-04.01AC", "OIS-04.02AC", "HR-03.02AC", "AM-01.01AC", "AM-09.03AC", "OPS-11.02AC", "OPS-13.03AC", "OPS-26.05B", "OPS-26.01AS", "OPS-26.06B", "SIM-03.07B", "COM-04.01AC", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.9" ], "CIS-1.4": [ "4.5" ], "NIST-CSF-1.1": [ "cm_2", "ra_5", "sc_4" ], "CIS-5.0": [ "4.5" ], "CIS-1.5": [ "4.5" ], "AWS-Account-Security-Onboarding": [ "Critical alert on cloudtrail settings changes" ], "NIST-CSF-2.0": [ "ov_3", "ra_5", "ip_8", "pt_1", "ae_1", "ae_2", "ae_3", "cm_1", "cm_3", "cm_7", "dp_4" ], "ENS-RD2022": [ "op.exp.8.aws.ct.2", "op.exp.8.r1.aws.ct.2", "op.exp.8.r1.aws.ct.3" ], "MITRE-ATTACK": [ "T1496" ], "ISO27001-2013": [ "A.12.4.J" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail logs** include a **metric filter** for trail configuration events (`CreateTrail`, `UpdateTrail`, `DeleteTrail`, `StartLogging`, `StopLogging`) with an associated **CloudWatch alarm** to alert on matches.\n\nEvaluates the presence of this filter-and-alarm monitoring.", "title": "CloudWatch Logs metric filter and alarm exist for CloudTrail configuration changes", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "Software and Configuration Checks/AWS Security Best Practices", "TTPs/Defense Evasion" ], "uid": "prowler-aws-cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudwatch" }, "labels": [], "name": "211203495394", "type": "AwsCloudWatchAlarm", "uid": "arn:aws:logs:us-east-1:211203495394:log-group" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Implement a **metric filter** for trail configuration events and a linked **alarm** that notifies response channels.\n\nApply **least privilege** and **separation of duties** for trail changes, add **defense in depth** with centralized logging and validation, and regularly test that alerts fire.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled" ] }, "risk_details": "Absent this monitoring, logging can be stopped or altered without notice, eroding visibility.\n\nThat enables covert activity and data exfiltration without audit evidence, harming confidentiality, the integrity of records, and the availability of reliable logs for detection and forensics.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudWatch log groups found with metric filters or alarms associated.", "metadata": { "event_code": "cloudwatch_log_metric_filter_authentication_failures", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "No CloudWatch log groups found with metric filters or alarms associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", "https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-signin-failures", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/console-sign-in-failures-alarm.html", "https://newsletter.simpleaws.dev/p/cloudtrail-cloudwatch-logs-login-detection-alert" ], "notes": "Logging and Monitoring", "compliance": { "NIS2": [ "3.2.3.c", "3.2.3.d", "3.2.3.g", "3.5.4", "7.2.b" ], "HIPAA": [ "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii" ], "CIS-6.0": [ "5.6" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.IAM.CN10.AR01", "CCC.IAM.CN10.AR02" ], "CIS-2.0": [ "4.6" ], "CSA-CCM-4.0": [ "CCC-07", "LOG-05" ], "GDPR": [ "article_25" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.7" ], "CIS-4.0.1": [ "4.6" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.6" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.3" ], "SOC2": [ "pi_1_3" ], "C5-2025": [ "OIS-04.01AC", "OIS-04.02AC", "HR-03.02AC", "AM-01.01AC", "AM-09.03AC", "OPS-11.02AC", "OPS-26.05B", "OPS-26.01AS", "OPS-26.06B", "IAM-03.01AC", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.9" ], "CIS-1.4": [ "4.6" ], "NIST-CSF-1.1": [ "cm_2", "ra_5", "sc_4" ], "CIS-5.0": [ "4.6" ], "CIS-1.5": [ "4.6" ], "AWS-Account-Security-Onboarding": [ "Alert on rise of ConsoleLoginFailures events" ], "NIST-CSF-2.0": [ "ra_5", "ip_7", "ip_8", "pt_1", "ae_2", "cm_1", "cm_3", "cm_7", "dp_4" ], "ENS-RD2022": [ "op.exp.8.aws.ct.5" ], "MITRE-ATTACK": [ "T1496" ], "ISO27001-2013": [ "A.12.4.I" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "CloudWatch Logs metric filter and alarm for **AWS Management Console authentication failures**, sourced from CloudTrail (`eventName=ConsoleLogin`, `errorMessage=\"Failed authentication\"`).\n\nIdentifies whether these failures are converted into a metric and actively monitored by an alarm.", "title": "Account has a CloudWatch Logs metric filter and alarm for AWS Management Console authentication failures", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "TTPs/Initial Access", "TTPs/Credential Access" ], "uid": "prowler-aws-cloudwatch_log_metric_filter_authentication_failures-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudwatch" }, "labels": [], "name": "211203495394", "type": "AwsCloudWatchAlarm", "uid": "arn:aws:logs:us-east-1:211203495394:log-group" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Implement a log metric filter for `ConsoleLogin` failures and attach a **CloudWatch alarm** with actionable notifications. Tune thresholds to reduce noise and route alerts to incident response.\n\nApply **least privilege** and enforce **MFA** to limit impact, and correlate alerts with source IP and user context.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_metric_filter_authentication_failures" ] }, "risk_details": "Absent visibility into failed console logins enables undetected **brute-force** and **credential-stuffing** attempts, extending attacker dwell time.\n\nSuccessful guesses can grant console access, risking data confidentiality, configuration integrity, and availability through destructive changes.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudWatch log groups found with metric filters or alarms associated.", "metadata": { "event_code": "cloudwatch_log_metric_filter_aws_organizations_changes", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "No CloudWatch log groups found with metric filters or alarms associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", "https://support.icompaas.com/support/solutions/articles/62000228348-ensure-a-log-metric-filter-and-alarm-exist-for-aws-organizations-changes", "https://www.plerion.com/cloud-knowledge-base/ensure-aws-organizations-changes-are-monitored", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/organizations-changes-alarm.html" ], "notes": "Logging and Monitoring", "compliance": { "NIS2": [ "2.2.3", "3.2.2", "3.2.3.b", "3.2.3.c", "3.2.3.f", "3.2.3.g", "3.5.4", "7.2.b", "11.5.2.d" ], "CIS-6.0": [ "5.15" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt" ], "CIS-2.0": [ "4.15" ], "CSA-CCM-4.0": [ "CCC-04", "CCC-07", "LOG-05" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.16" ], "CIS-4.0.1": [ "4.15" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.15" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.3" ], "SOC2": [ "cc_5_2" ], "C5-2025": [ "OIS-04.03B", "OIS-04.01AC", "OIS-04.02AC", "HR-03.02AC", "AM-01.01AC", "AM-09.03AC", "OPS-11.02AC", "OPS-26.05B", "OPS-26.01AS", "OPS-26.06B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.9" ], "CIS-1.4": [ "4.15" ], "CIS-5.0": [ "4.15" ], "CIS-1.5": [ "4.15" ], "NIST-CSF-2.0": [ "ae_3", "cm_7" ], "MITRE-ATTACK": [ "T1496" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Logs** metric filters and alarms monitor **AWS Organizations** change events recorded by CloudTrail, including actions like `CreateAccount`, `AttachPolicy`, `MoveAccount`, and `UpdateOrganizationalUnit`.\n\nThe evaluation looks for a filter on the trail log group matching `organizations.amazonaws.com` events and an alarm linked to that metric.", "title": "CloudWatch Logs metric filter and alarm exist for AWS Organizations changes", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-cloudwatch_log_metric_filter_aws_organizations_changes-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudwatch" }, "labels": [], "name": "211203495394", "type": "AwsCloudWatchAlarm", "uid": "arn:aws:logs:us-east-1:211203495394:log-group" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Send CloudTrail events to **CloudWatch Logs**, add a metric filter for `organizations.amazonaws.com` change events, and attach an alarm that notifies responders. Enforce **least privilege** and **separation of duties** for org admins, require MFA and approvals, and regularly test alerts to ensure timely detection and response.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_metric_filter_aws_organizations_changes" ] }, "risk_details": "Without alerting on **AWS Organizations changes**, attackers or misconfigurations can silently alter governance, enabling unauthorized access and policy bypass. They could create/remove accounts, change or detach SCPs, or delete the organization, risking data exposure (C), privilege escalation (I), and service disruption (A).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudWatch log groups found with metric filters or alarms associated.", "metadata": { "event_code": "cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "No CloudWatch log groups found with metric filters or alarms associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-creating-cloudwatch-alarm.html" ], "notes": "Logging and Monitoring", "compliance": { "NIS2": [ "3.2.3.c", "3.2.3.g", "3.5.4", "7.2.b" ], "CIS-6.0": [ "5.7" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.KeyMgmt.CN01.AR01" ], "CIS-2.0": [ "4.7" ], "CSA-CCM-4.0": [ "CCC-07", "LOG-05" ], "GDPR": [ "article_25" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.8" ], "CIS-4.0.1": [ "4.7" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.7" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-04.02AC", "OIS-08.02B", "HR-03.02AC", "AM-01.01AC", "AM-07.02B", "AM-09.03AC", "OPS-11.02AC", "OPS-26.05B", "OPS-26.01AS", "OPS-26.06B", "CRY-05.02B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.9" ], "CIS-1.4": [ "4.7" ], "NIST-CSF-1.1": [ "cm_2", "ra_5", "sc_4" ], "CIS-5.0": [ "4.7" ], "CIS-1.5": [ "4.7" ], "NIST-CSF-2.0": [ "ae_2", "cm_7" ], "ENS-RD2022": [ "op.exp.10.aws.cmk.4", "op.exp.10.aws.cmk.5" ], "MITRE-ATTACK": [ "T1485", "T1496" ], "ISO27001-2013": [ "A.10.1.C", "A.12.4.H" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "CloudTrail events delivered to CloudWatch are evaluated for a **metric filter and alarm** that monitor **KMS CMK state changes**, specifically `DisableKey` and `ScheduleKeyDeletion` from `kms.amazonaws.com`.", "title": "Account has a CloudWatch log metric filter and alarm for disabling or scheduled deletion of customer-managed KMS keys", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "Software and Configuration Checks/AWS Security Best Practices", "Effects/Denial of Service" ], "uid": "prowler-aws-cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudwatch" }, "labels": [], "name": "211203495394", "type": "AwsCloudWatchAlarm", "uid": "arn:aws:logs:us-east-1:211203495394:log-group" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Establish **CloudWatch metric filters and alarms** for `DisableKey` and `ScheduleKeyDeletion` CloudTrail events to enable rapid response.\n- Apply **least privilege** to KMS administration\n- Enforce **change control** and separation of duties\n- Use deletion waiting periods and monitor all regions", "references": [ "https://hub.prowler.com/check/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk" ] }, "risk_details": "Missing alerts on **CMK disablement or scheduled deletion** undermines **availability** and **integrity**: encrypted data may become undecryptable, backups unusable, and recovery impossible. Attackers or insiders can change key states unnoticed, causing outages and irreversible data loss.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudWatch log groups found with metric filters or alarms associated.", "metadata": { "event_code": "cloudwatch_log_metric_filter_for_s3_bucket_policy_changes", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "No CloudWatch log groups found with metric filters or alarms associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", "https://support.icompaas.com/support/solutions/articles/62000086674-ensure-a-log-metric-filter-and-alarm-exist-for-s3-bucket-policy-changes", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v5.0.0_L1.audit:8101350d6907e07863ac6748689b3e12" ], "notes": "Logging and Monitoring", "compliance": { "NIS2": [ "2.2.3", "3.2.3.b", "3.2.3.c", "3.2.3.f", "3.2.3.g", "3.5.4", "7.2.b" ], "CIS-6.0": [ "5.8" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.AuditLog.CN03.AR02" ], "CIS-2.0": [ "4.8" ], "CSA-CCM-4.0": [ "LOG-05" ], "GDPR": [ "article_25" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.9" ], "CIS-4.0.1": [ "4.8" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.8" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.3" ], "SOC2": [ "cc_5_2" ], "C5-2025": [ "OIS-04.03B", "OIS-04.01AC", "OIS-04.02AC", "HR-03.02AC", "AM-01.01AC", "AM-09.03AC", "OPS-11.02AC", "OPS-26.05B", "OPS-26.01AS", "OPS-26.06B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.9" ], "CIS-1.4": [ "4.8" ], "NIST-CSF-1.1": [ "cm_2", "ra_5", "sc_4" ], "CIS-5.0": [ "4.8" ], "CIS-1.5": [ "4.8" ], "NIST-CSF-2.0": [ "pt_1", "ae_1", "ae_2", "cm_7" ], "MITRE-ATTACK": [ "T1496" ], "ISO27001-2013": [ "A.12.4.G" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail** logs are assessed for a **CloudWatch metric filter** matching S3 bucket configuration changes (ACL, policy, CORS, lifecycle, replication; e.g., `PutBucketPolicy`, `DeleteBucketPolicy`) and for an associated **CloudWatch alarm**.", "title": "CloudWatch log metric filter and alarm exist for S3 bucket policy changes", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis" ], "uid": "prowler-aws-cloudwatch_log_metric_filter_for_s3_bucket_policy_changes-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudwatch" }, "labels": [], "name": "211203495394", "type": "AwsCloudWatchAlarm", "uid": "arn:aws:logs:us-east-1:211203495394:log-group" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Establish and maintain **metric filters** and **alarms** for S3 bucket policy, ACL, CORS, lifecycle, and replication changes. Route alerts to monitored channels and integrate with SIEM. Enforce **least privilege**, require change reviews, and use **defense in depth** to prevent and quickly detect unsafe bucket policy changes.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes" ] }, "risk_details": "Without alerting on S3 policy and ACL changes, unauthorized modifications can go unnoticed, weakening **confidentiality** and **integrity**. Misuse could expose buckets publicly, grant write/delete access, or alter replication paths, enabling data exfiltration and destructive actions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudWatch log groups found with metric filters or alarms associated.", "metadata": { "event_code": "cloudwatch_log_metric_filter_policy_changes", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "No CloudWatch log groups found with metric filters or alarms associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", "https://www.clouddefense.ai/compliance-rules/cis-v140/monitoring/cis-v140-4-4", "https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-iam-policy-change" ], "notes": "Logging and Monitoring", "compliance": { "NIS2": [ "2.2.3", "3.2.2", "3.2.3.b", "3.2.3.c", "3.2.3.f", "3.2.3.g", "3.5.4", "7.2.b", "11.5.2.d" ], "CIS-6.0": [ "5.4" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "8.1", "8.1.2" ], "CIS-2.0": [ "4.4" ], "CSA-CCM-4.0": [ "LOG-05" ], "GDPR": [ "article_25" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.5" ], "CIS-4.0.1": [ "4.4" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.4" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.3" ], "SOC2": [ "cc_5_2", "pi_1_3" ], "C5-2025": [ "OIS-04.03B", "OIS-04.01AC", "OIS-04.02AC", "HR-03.02AC", "AM-01.01AC", "AM-09.03AC", "OPS-11.02AC", "OPS-26.05B", "OPS-26.01AS", "OPS-26.06B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.9" ], "CIS-1.4": [ "4.4" ], "NIST-CSF-1.1": [ "cm_2", "ra_5", "sc_4" ], "CIS-5.0": [ "4.4" ], "CIS-1.5": [ "4.4" ], "NIST-CSF-2.0": [ "ov_3", "ae_2", "cm_7" ], "ENS-RD2022": [ "op.exp.8.aws.ct.5" ], "MITRE-ATTACK": [ "T1496" ], "ISO27001-2013": [ "A.12.4.K" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "CloudWatch uses a metric filter and alarm to track **IAM policy changes** recorded by CloudTrail (e.g., `CreatePolicy`, `DeletePolicy`, version changes, inline policy edits, policy attach/detach). This finding reflects whether that filter and an associated alarm are present on the trail's log group.", "title": "CloudWatch Logs metric filter and alarm exist for IAM policy changes", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-cloudwatch_log_metric_filter_policy_changes-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudwatch" }, "labels": [], "name": "211203495394", "type": "AwsCloudWatchAlarm", "uid": "arn:aws:logs:us-east-1:211203495394:log-group" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Create a metric filter for IAM policy create/update/delete and attach/detach events with an **alarm** to notify responders.\n- Enforce **least privilege** and separation of duties for policy changes\n- Require approvals and central logging across Regions/accounts\n- Integrate alerts with incident response", "references": [ "https://hub.prowler.com/check/cloudwatch_log_metric_filter_policy_changes" ] }, "risk_details": "Absent alerting on **IAM policy changes**, privilege modifications can go unnoticed, enabling **privilege escalation**, hidden backdoors, or permission revocations. This threatens **confidentiality** and **integrity**, and may impact **availability** if critical access is removed or misconfigured.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudWatch log groups found with metric filters or alarms associated.", "metadata": { "event_code": "cloudwatch_log_metric_filter_root_usage", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "No CloudWatch log groups found with metric filters or alarms associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/root-account-usage-alarm.html", "https://asecure.cloud/a/root_account_login/", "https://support.icompaas.com/support/solutions/articles/62000083624-ensure-a-log-metric-filter-and-alarm-exist-for-usage-of-root-account", "https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-root-account-usage", "https://aws.amazon.com/blogs/security/how-to-receive-notifications-when-your-aws-accounts-root-access-keys-are-used/", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L1.audit:000adfb028a1475075a6b5d2117f53f4" ], "notes": "Logging and Monitoring", "compliance": { "NIS2": [ "2.3.1", "3.2.1", "3.2.2", "3.2.3.c", "3.2.3.e", "3.2.3.g", "3.5.4", "7.2.b", "9.2.c.vii" ], "HIPAA": [ "164_308_a_6_i", "164_308_a_6_ii" ], "CIS-6.0": [ "5.3" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "7.2", "7.2.1" ], "CIS-2.0": [ "4.3" ], "CSA-CCM-4.0": [ "LOG-03", "LOG-05" ], "GDPR": [ "article_25" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.4" ], "CIS-4.0.1": [ "4.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.3" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.3" ], "SOC2": [ "pi_1_3" ], "C5-2025": [ "OIS-04.01AC", "OIS-04.02AC", "HR-03.02AC", "AM-01.01AC", "AM-09.03AC", "OPS-11.02AC", "OPS-26.05B", "OPS-26.01AS", "OPS-26.06B", "IAM-03.01B", "IAM-03.03B", "IAM-06.04B", "IAM-06.05B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.9" ], "CIS-1.4": [ "4.3" ], "NIST-CSF-1.1": [ "cm_2", "ra_5", "sc_4" ], "CIS-5.0": [ "4.3" ], "CIS-1.5": [ "4.3" ], "AWS-Account-Security-Onboarding": [ "Critical alert on every root user activity" ], "NIST-CSF-2.0": [ "ip_8", "ae_2", "cm_7", "dp_4" ], "ENS-RD2022": [ "op.exp.8.aws.ct.5", "op.exp.8.aws.cw.1" ], "MITRE-ATTACK": [ "T1496" ], "ISO27001-2013": [ "A.12.4.L" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail** logs in CloudWatch include a metric filter for **root account activity** (`{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }`) and a linked CloudWatch alarm that triggers when the filter matches.", "title": "Account has a CloudWatch Logs metric filter and alarm for root account usage", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/AWS Security Best Practices", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-cloudwatch_log_metric_filter_root_usage-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudwatch" }, "labels": [], "name": "211203495394", "type": "AwsCloudWatchAlarm", "uid": "arn:aws:logs:us-east-1:211203495394:log-group" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enable real-time alerts for **root activity** using a log metric filter and a high-priority alarm with notifications.\n\nReduce exposure: enforce **least privilege**, keep root for *break-glass* with MFA, disable root access keys, and route alerts into incident response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_metric_filter_root_usage" ] }, "risk_details": "Without alerting on **root activity**, full-privilege actions can proceed unnoticed, impacting:\n- confidentiality via data access/exfiltration\n- integrity via policy/config tampering\n- availability via deletions or shutdowns\nDelayed detection increases blast radius and persistence.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudWatch log groups found with metric filters or alarms associated.", "metadata": { "event_code": "cloudwatch_log_metric_filter_security_group_changes", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "No CloudWatch log groups found with metric filters or alarms associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", "https://support.icompaas.com/support/solutions/articles/62000084030-ensure-a-log-metric-filter-and-alarm-exist-for-security-group-changes", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html", "https://asecure.cloud/a/cwalarm_securitygroup_changes/" ], "notes": "Logging and Monitoring", "compliance": { "NIS2": [ "2.2.3", "3.2.2", "3.2.3.b", "3.2.3.c", "3.2.3.f", "3.2.3.g", "3.5.4", "11.5.2.d" ], "CIS-6.0": [ "5.10" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "CIS-2.0": [ "4.10" ], "CSA-CCM-4.0": [ "LOG-05" ], "GDPR": [ "article_25" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.11" ], "CIS-4.0.1": [ "4.10" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.10" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.3" ], "SOC2": [ "cc_5_2" ], "C5-2025": [ "OIS-04.03B", "OIS-04.01AC", "OIS-04.02AC", "HR-03.02AC", "AM-01.01AC", "AM-09.03AC", "OPS-11.02AC", "OPS-26.05B", "OPS-26.01AS", "OPS-26.06B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.9" ], "CIS-1.4": [ "4.10" ], "NIST-CSF-1.1": [ "cm_2", "ra_5", "sc_4" ], "CIS-5.0": [ "4.10" ], "CIS-1.5": [ "4.10" ], "NIST-CSF-2.0": [ "ov_3", "ip_8", "ae_1", "ae_2", "cm_7", "dp_4" ], "MITRE-ATTACK": [ "T1496" ], "ISO27001-2013": [ "A.12.4.E" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail** events for **security group configuration changes** are monitored using a **CloudWatch Logs metric filter** with an associated **alarm**. The filter targets actions like `AuthorizeSecurityGroupIngress/Egress`, `RevokeSecurityGroupIngress/Egress`, `CreateSecurityGroup`, and `DeleteSecurityGroup` to surface any security group modifications.", "title": "CloudWatch Logs metric filter and alarm exist for security group changes", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis" ], "uid": "prowler-aws-cloudwatch_log_metric_filter_security_group_changes-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudwatch" }, "labels": [], "name": "211203495394", "type": "AwsCloudWatchAlarm", "uid": "arn:aws:logs:us-east-1:211203495394:log-group" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Establish real-time alerts for **security group modifications** by sending CloudTrail to CloudWatch, creating metric filters and alarms, and notifying responders.\n- Enforce **least privilege** on SG changes\n- Use change management and tagging\n- Centralize logs, test alarms, and maintain runbooks\n- Layer with NACLs and WAF for **defense in depth**", "references": [ "https://hub.prowler.com/check/cloudwatch_log_metric_filter_security_group_changes" ] }, "risk_details": "Without alerting on **security group changes**, unauthorized or mistaken rules can expose services to the Internet, enabling brute force and lateral movement (**confidentiality, integrity**). Deletions or restrictive edits can break connectivity (**availability**). Delayed detection increases attacker dwell time and impact.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudWatch log groups found with metric filters or alarms associated.", "metadata": { "event_code": "cloudwatch_log_metric_filter_sign_in_without_mfa", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "No CloudWatch log groups found with metric filters or alarms associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/console-sign-in-without-mfa.html", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v3.0.0_L1.audit:1957056ee174cc38502d5f5f1864333b", "https://www.clouddefense.ai/compliance-rules/gdpr/data-protection/log-metric-filter-console-login-mfa", "https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-no-mfa", "https://support.icompaas.com/support/solutions/articles/62000083605-ensure-a-log-metric-filter-and-alarm-exist-for-management-console-sign-in-without-mfa" ], "notes": "Logging and Monitoring", "compliance": { "NIS2": [ "3.2.3.c", "3.2.3.d", "3.2.3.g", "3.5.4", "9.2.c.vii", "11.7.2" ], "CIS-6.0": [ "5.2" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.IAM.CN10.AR01" ], "CIS-2.0": [ "4.2" ], "CSA-CCM-4.0": [ "LOG-03", "LOG-05" ], "GDPR": [ "article_25" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.3" ], "CIS-4.0.1": [ "4.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.3" ], "C5-2025": [ "OIS-04.01AC", "OIS-04.02AC", "HR-03.02AC", "AM-01.01AC", "AM-09.03AC", "OPS-11.02AC", "OPS-16.01B", "OPS-26.05B", "OPS-26.01AS", "OPS-26.06B", "IAM-03.01AC", "IAM-09.02B", "IAM-09.01AC", "PSS-04.01B", "PSS-05.01B", "PSS-07.02B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.9" ], "CIS-1.4": [ "4.2" ], "NIST-CSF-1.1": [ "cm_2", "ra_5", "sc_4" ], "CIS-5.0": [ "4.2" ], "CIS-1.5": [ "4.2" ], "ENS-RD2022": [ "op.exp.8.aws.ct.5" ], "MITRE-ATTACK": [ "T1496" ], "ISO27001-2013": [ "A.12.4.M" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudTrail logs** in CloudWatch are assessed for a metric filter and alarm that detect console logins where `$.eventName = ConsoleLogin` and `$.additionalEventData.MFAUsed != \\\"Yes\\\"`.\n\nThis reflects whether alerting exists for sign-ins that occur without **MFA**.", "title": "CloudWatch log metric filter and alarm exist for Management Console sign-in without MFA", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access", "Unusual Behaviors/User" ], "uid": "prowler-aws-cloudwatch_log_metric_filter_sign_in_without_mfa-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudwatch" }, "labels": [], "name": "211203495394", "type": "AwsCloudWatchAlarm", "uid": "arn:aws:logs:us-east-1:211203495394:log-group" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enforce **MFA** for all console-capable identities and maintain alerts for `ConsoleLogin` with `MFAUsed != \\\"Yes\\\"`.\n\nApply **least privilege**, route alarms to monitored channels, and tune for SSO to reduce noise. Test alarms regularly and review coverage as part of **defense in depth**.", "references": [ "https://hub.prowler.com/check/cloudwatch_log_metric_filter_sign_in_without_mfa" ] }, "risk_details": "Without alerting on non-MFA console logins, successful use of stolen passwords can go **undetected**, enabling:\n- Unauthorized console access and IAM changes\n- Data exfiltration or deletion\n\nImpacts: loss of **confidentiality** and **integrity**, and potential **availability** disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No CloudWatch log groups found with metric filters or alarms associated.", "metadata": { "event_code": "cloudwatch_log_metric_filter_unauthorized_api_calls", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "No CloudWatch log groups found with metric filters or alarms associated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", "https://asecure.cloud/a/unauthorized_api_calls/", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchLogs/authorization-failures-alarm.html", "https://www.tenable.com/policies/[type]/AC_AWS_0559", "https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-unauthorized-api-calls", "https://support.icompaas.com/support/solutions/articles/62000083561-ensure-a-log-metric-filter-and-alarm-exist-for-unauthorized-api-calls" ], "notes": "Logging and Monitoring", "compliance": { "NIS2": [ "3.2.3.c", "3.2.3.g", "3.2.4", "3.4.2.c", "3.5.4" ], "CIS-6.0": [ "5.1" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01", "CCC.IAM.CN10.AR01", "CCC.IAM.CN10.AR02" ], "CIS-2.0": [ "4.1" ], "CSA-CCM-4.0": [ "LOG-03", "LOG-05" ], "GDPR": [ "article_25" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.2" ], "CIS-4.0.1": [ "4.1" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.1" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.3" ], "SOC2": [ "pi_1_3" ], "C5-2025": [ "OIS-04.01AC", "OIS-04.02AC", "HR-03.02AC", "AM-01.01AC", "AM-09.03AC", "OPS-11.02AC", "OPS-26.05B", "OPS-26.01AS", "OPS-26.06B", "IAM-06.05B", "PSS-04.01B" ], "ISO27001-2022": [ "A.8.15", "A.8.16" ], "SecNumCloud-3.2": [ "12.9" ], "CIS-1.4": [ "4.1" ], "NIST-CSF-1.1": [ "cm_2", "ra_5", "sc_4" ], "CIS-5.0": [ "4.1" ], "CIS-1.5": [ "4.1" ], "NIST-CSF-2.0": [ "ov_3", "ra_5", "ip_7", "ip_8", "pt_1", "ae_1", "ae_2", "cm_1", "cm_3", "cm_7", "dp_4" ], "ENS-RD2022": [ "op.exp.8.aws.ct.5" ], "MITRE-ATTACK": [ "T1496" ], "ISO27001-2013": [ "A.12.4.N" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**CloudWatch Logs** for CloudTrail include a metric filter that matches unauthorized API errors (`$.errorCode=\"*UnauthorizedOperation\"` or `$.errorCode=\"AccessDenied*\"`) and a linked alarm that triggers when events match the filter.", "title": "CloudWatch Logs metric filter and alarm exist for unauthorized API calls", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-cloudwatch_log_metric_filter_unauthorized_api_calls-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "cloudwatch" }, "labels": [], "name": "211203495394", "type": "AwsCloudWatchAlarm", "uid": "arn:aws:logs:us-east-1:211203495394:log-group" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enable real-time **alerting** by adding a CloudWatch Logs metric filter for unauthorized errors (`*UnauthorizedOperation`, `AccessDenied*`) and associating it with an alarm that notifies responders.\n- Enforce **least privilege** to reduce noise\n- Integrate with IR tooling for **defense in depth**", "references": [ "https://hub.prowler.com/check/cloudwatch_log_metric_filter_unauthorized_api_calls" ] }, "risk_details": "Without alerting on **unauthorized API calls**, permission probing and failed access by compromised identities can go unnoticed. Attackers can enumerate services, pivot, and attempt privilege escalation, threatening data **confidentiality** and **integrity**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-ap-northeast-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-1", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "ap-northeast-1" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:ap-northeast-1:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-1" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-ap-northeast-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-2", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "ap-northeast-2" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:ap-northeast-2:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-2" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-ap-northeast-3-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-3", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "ap-northeast-3" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:ap-northeast-3:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-3" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-ap-south-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-south-1", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "ap-south-1" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:ap-south-1:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-south-1" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-ap-southeast-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-1", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "ap-southeast-1" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:ap-southeast-1:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-1" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-ap-southeast-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-2", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "ap-southeast-2" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:ap-southeast-2:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-2" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-ca-central-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ca-central-1", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "ca-central-1" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:ca-central-1:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ca-central-1" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-eu-central-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-central-1", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "eu-central-1" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:eu-central-1:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-central-1" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-eu-north-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-north-1", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "eu-north-1" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:eu-north-1:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-north-1" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-eu-west-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-1", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "eu-west-1" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:eu-west-1:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-1" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-eu-west-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-2", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "eu-west-2" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:eu-west-2:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-2" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-eu-west-3-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-3", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "eu-west-3" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:eu-west-3:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-3" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-sa-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "sa-east-1", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "sa-east-1" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:sa-east-1:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "sa-east-1" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "us-east-1" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:us-east-1:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-us-east-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-2", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "us-east-2" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:us-east-2:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-2" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-us-west-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-1", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "us-west-1" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:us-west-1:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-1" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Config recorder 211203495394 is disabled.", "metadata": { "event_code": "config_recorder_all_regions_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Config recorder 211203495394 is disabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://repost.aws/es/questions/QUGcgeerhcTamRkwgdwh_tLQ/enable-aws-config", "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v1.5.0_L2.audit:6a5136528bd329139e5969f8f1e5ffbc", "https://aws.amazon.com/blogs/mt/aws-config-best-practices/" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a" ], "CIS-6.0": [ "4.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy", "ksi-mla-07" ], "CCC-v2025.10": [ "CCC.Core.CN04.AR01" ], "PCI-3.2.1": [ "2.4", "2.4.a", "10.5", "10.5.2", "11.5", "11.5.a", "11.5.b" ], "GxP-EU-Annex-11": [ "10-change-and-configuration-management", "4.5-validation-development-quality", "4.6-validation-quality-performance" ], "CIS-2.0": [ "3.5" ], "CSA-CCM-4.0": [ "A&A-04", "CCC-07", "DCS-06", "DSP-03" ], "GDPR": [ "article_25", "article_30" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.3" ], "ProwlerThreatScore-1.0": [ "3.3.1" ], "CIS-4.0.1": [ "3.3" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP02" ], "CIS-3.0": [ "3.3" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.3" ], "SOC2": [ "cc_2_1", "cc_3_1", "cc_3_4", "cc_8_1", "pi_1_3" ], "C5-2025": [ "OIS-05.01B", "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "DEV-08.02B" ], "ISO27001-2022": [ "A.5.16", "A.5.22" ], "AWS-Foundational-Security-Best-Practices": [ "Config.1" ], "SecNumCloud-3.2": [ "8.1", "12.2", "13.1", "14.2", "17.5", "18.3" ], "CIS-1.4": [ "3.5" ], "NIST-CSF-1.1": [ "cm_2", "am_1", "ra_5", "sc_4", "ip_12" ], "CIS-5.0": [ "3.3" ], "CIS-1.5": [ "3.5" ], "AWS-Account-Security-Onboarding": [ "Enable continuous recording for most of the resources", "Confirm that records are present in central aggregator" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3", "pt_1" ], "ENS-RD2022": [ "op.exp.1.aws.cfg.1", "op.exp.1.aws.cfg.2", "op.exp.3.aws.cfg.1", "op.exp.3.r3.aws.cfg.1", "op.mon.3.r2.aws.cfg.1", "op.mon.3.r6.aws.cfg.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1204", "T1098", "T1136", "T1525", "T1562", "T1110", "T1040", "T1119", "T1530", "T1485", "T1486", "T1491", "T1499", "T1496", "T1498" ], "ISO27001-2013": [ "A.12.4.P" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS accounts** have **AWS Config recorders** active and healthy in each Region. It identifies Regions with no recorder, a disabled recorder, or a recorder in a failure state.", "title": "AWS Config recorder is enabled and not in failure state or disabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-config_recorder_all_regions_enabled-211203495394-us-west-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-2", "data": { "details": "", "metadata": { "name": "211203495394", "role_arn": "", "recording": null, "last_status": null, "region": "us-west-2" } }, "group": { "name": "config" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:config:us-west-2:211203495394:recorder" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-2" }, "remediation": { "desc": "Enable **AWS Config** in every Region with continuous recording and maintain healthy recorder status.", "references": [ "https://hub.prowler.com/check/config_recorder_all_regions_enabled" ] }, "risk_details": "**Gaps in Config recording** create **blind spots**. Changes in unmonitored Regions aren't captured, weakening **integrity** and **auditability**. Adversaries can alter resources or stage assets unnoticed, enabling misconfigurations and delaying **incident response**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-ap-northeast-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-1", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "ap-northeast-1", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:ap-northeast-1:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-1" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-ap-northeast-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-2", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "ap-northeast-2", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:ap-northeast-2:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-2" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-ap-northeast-3-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-3", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "ap-northeast-3", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:ap-northeast-3:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-3" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-ap-south-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-south-1", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "ap-south-1", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:ap-south-1:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-south-1" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-ap-southeast-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-1", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "ap-southeast-1", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:ap-southeast-1:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-1" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-ap-southeast-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-2", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "ap-southeast-2", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:ap-southeast-2:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-2" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-ca-central-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ca-central-1", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "ca-central-1", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:ca-central-1:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ca-central-1" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-eu-central-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-central-1", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "eu-central-1", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:eu-central-1:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-central-1" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-eu-north-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-north-1", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "eu-north-1", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:eu-north-1:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-north-1" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-eu-west-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-1", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "eu-west-1", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:eu-west-1:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-1" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-eu-west-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-2", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "eu-west-2", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:eu-west-2:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-2" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-eu-west-3-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-3", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "eu-west-3", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:eu-west-3:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-3" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-sa-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "sa-east-1", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "sa-east-1", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:sa-east-1:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "sa-east-1" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "us-east-1", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:us-east-1:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-us-east-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-2", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "us-east-2", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:us-east-2:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-2" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-us-west-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-1", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "us-west-1", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:us-west-1:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-1" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "DRS is not enabled for this region.", "metadata": { "event_code": "drs_job_exist", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "DRS is not enabled for this region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html", "https://aws.amazon.com/disaster-recovery/", "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "BCR-09" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.12.1", "2.12.2" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.12.1", "2.12.2" ], "NIST-CSF-2.0": [ "be_5", "ip_9" ], "ENS-RD2022": [ "op.cont.3.aws.drs.1" ], "MITRE-ATTACK": [ "T1190", "T1485", "T1486", "T1491", "T1490" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.", "title": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-drs_job_exist-211203495394-us-west-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-2", "data": { "details": "", "metadata": { "id": "DRS", "status": "DISABLED", "region": "us-west-2", "jobs": [] } }, "group": { "name": "drs" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:drs:us-west-2:211203495394:recovery-job" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-2" }, "remediation": { "desc": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.", "references": [ "https://hub.prowler.com/check/drs_job_exist" ] }, "risk_details": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IMDSv2 is not enabled by default for EC2 instances.", "metadata": { "event_code": "ec2_instance_account_imdsv2_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "IMDSv2 is not enabled by default for EC2 instances.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "secrets" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#set-imdsv2-account-defaults", "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/require-imds-v2.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.i" ], "CIS-2.0": [ "5.6" ], "CSA-CCM-4.0": [ "IVS-04" ], "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-25.01B" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 account IMDS defaults** with `http_tokens`=`required` ensure new instances in the Region use **IMDSv2** by default and disable IMDSv1. *Existing instances keep their current setting.*", "title": "IMDSv2 is required by default for EC2 instances at the account level", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Credential Access" ], "uid": "prowler-aws-ec2_instance_account_imdsv2_enabled-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "http_tokens": null, "instances": true, "region": "us-east-1" } }, "group": { "name": "ec2" }, "labels": [], "name": "211203495394", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:account" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enforce **IMDSv2** at the account level in every Region by setting `http_tokens` to `required`. Add guardrails with **SCP/IAM conditions**. Standardize AMIs and launch templates to require tokens, validate workload compatibility, and apply **least privilege** to instance roles for defense in depth. *For containers*, prefer hop limit `2`.", "references": [ "https://hub.prowler.com/check/ec2_instance_account_imdsv2_enabled" ] }, "risk_details": "Without a default of **IMDSv2**, new instances may enable **IMDSv1**, exposing metadata via simple HTTP. SSRF or proxy misconfigs can steal **temporary IAM credentials**, enabling data exfiltration (confidentiality), unauthorized API changes (integrity), and lateral movement that can disrupt services (availability).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EC2 Instance i-076e34b1bed03e4eb does not have detailed monitoring enabled.", "metadata": { "event_code": "ec2_instance_detailed_monitoring_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "EC2 Instance i-076e34b1bed03e4eb does not have detailed monitoring enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/instance-detailed-monitoring.html", "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html#enable-detailed-monitoring-instance" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.h" ], "PCI-4.0": [ "10.2.1.1.15", "10.4.1.1.4", "10.4.1.3", "10.4.2.4", "10.6.3.15", "10.7.1.5", "10.7.2.5", "A3.3.1.7", "A3.5.1.7" ], "KISA-ISMS-P-2023-korean": [ "2.9.2" ], "KISA-ISMS-P-2023": [ "2.9.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** are assessed for **CloudWatch detailed monitoring**, indicating whether 1-minute metrics collection is enabled.\n\nInstances lacking this setting provide only 5-minute metrics.", "title": "EC2 instance has detailed monitoring enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-ec2_instance_detailed_monitoring_enabled-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enable **detailed monitoring** to collect `1-minute` metrics on critical instances. Use **defense in depth**: baseline normal behavior, create alerts for anomalies, and correlate metrics with logs and traces. Review dashboards regularly. *If costs matter*, prioritize production, internet-facing, and autoscaling fleets.", "references": [ "https://hub.prowler.com/check/ec2_instance_detailed_monitoring_enabled" ] }, "risk_details": "Without 1-minute metrics, visibility drops, delaying detection of:\n- Sudden CPU/network/disk spikes affecting **availability**\n- **Malicious workloads** (crypto-mining, brute force)\n- **Data exfiltration** patterns\nSlower detection expands blast radius, raising incident impact and response cost.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EC2 Instance i-0dfacf8d3e903db17 does not have detailed monitoring enabled.", "metadata": { "event_code": "ec2_instance_detailed_monitoring_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "EC2 Instance i-0dfacf8d3e903db17 does not have detailed monitoring enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "logging", "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/instance-detailed-monitoring.html", "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html#enable-detailed-monitoring-instance" ], "notes": "", "compliance": { "NIS2": [ "3.2.3.h" ], "PCI-4.0": [ "10.2.1.1.15", "10.4.1.1.4", "10.4.1.3", "10.4.2.4", "10.6.3.15", "10.7.1.5", "10.7.2.5", "A3.3.1.7", "A3.5.1.7" ], "KISA-ISMS-P-2023-korean": [ "2.9.2" ], "KISA-ISMS-P-2023": [ "2.9.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** are assessed for **CloudWatch detailed monitoring**, indicating whether 1-minute metrics collection is enabled.\n\nInstances lacking this setting provide only 5-minute metrics.", "title": "EC2 instance has detailed monitoring enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-ec2_instance_detailed_monitoring_enabled-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enable **detailed monitoring** to collect `1-minute` metrics on critical instances. Use **defense in depth**: baseline normal behavior, create alerts for anomalies, and correlate metrics with logs and traces. Review dashboards regularly. *If costs matter*, prioritize production, internet-facing, and autoscaling fleets.", "references": [ "https://hub.prowler.com/check/ec2_instance_detailed_monitoring_enabled" ] }, "risk_details": "Without 1-minute metrics, visibility drops, delaying detection of:\n- Sudden CPU/network/disk spikes affecting **availability**\n- **Malicious workloads** (crypto-mining, brute force)\n- **Data exfiltration** patterns\nSlower detection expands blast radius, raising incident impact and response cost.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EC2 Instance i-076e34b1bed03e4eb is unmanaged by Systems Manager because it is terminated.", "metadata": { "event_code": "ec2_instance_managed_by_ssm", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "EC2 Instance i-076e34b1bed03e4eb is unmanaged by Systems Manager because it is terminated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "node-security" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/SSM/ssm-managed-instances.html", "https://docs.aws.amazon.com/systems-manager/latest/userguide/managed_instances.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_5_ii_b" ], "FedRAMP-Low-Revision-4": [ "cm-8", "sa-3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy" ], "NIST-800-53-Revision-5": [ "cm_2_a", "cm_2_b", "cm_2_b_1", "cm_2_b_2", "cm_2_b_3", "cm_2_2", "cm_3_3", "cm_6", "cm_8_1", "cm_8_2", "cm_8_3_a", "cm_8_6", "cm_8_a", "cm_8_a_1", "cm_8_a_2", "cm_8_a_3", "cm_8_a_4", "cm_8_a_5", "cm_8_b", "si_3_c_2" ], "RBI-Cyber-Security-Framework": [ "annex_i_1_1" ], "CSA-CCM-4.0": [ "IVS-04" ], "CISA": [ "your-systems-1" ], "FFIEC": [ "d1-g-it-b-1", "d3-pc-im-b-5" ], "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC01-BP06", "SEC06-BP04", "SEC06-BP05" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "SOC2": [ "cc_3_2", "cc_7_1" ], "ISO27001-2022": [ "A.5.26" ], "AWS-Foundational-Security-Best-Practices": [ "SSM.1" ], "SecNumCloud-3.2": [ "8.1", "12.10", "12.12" ], "NIST-800-53-Revision-4": [ "cm_2", "cm_7", "cm_8_1", "cm_8_3", "sa_3", "sa_10", "si_2_2", "si_7_1" ], "NIST-CSF-1.1": [ "am_1", "am_2", "ds_3", "ds_7", "ds_8", "ip_1", "ip_2", "ip_12" ], "NIST-CSF-2.0": [ "ac_3" ], "FedRamp-Moderate-Revision-4": [ "cm-2", "cm-7-a", "cm-8-1", "cm-8-3-a", "sa-3-a", "sa-10", "si-2-2", "si-7-1" ], "GxP-21-CFR-Part-11": [ "11.10-a", "11.10-h" ], "NIST-800-171-Revision-2": [ "3_4_1", "3_4_2", "3_4_6", "3_4_9", "3_14_2" ], "ENS-RD2022": [ "op.acc.4.aws.iam.6", "op.acc.4.aws.sys.1", "op.exp.1.aws.sys.1", "op.exp.4.aws.sys.2", "op.exp.4.r2.aws.sys.1", "op.exp.9.aws.img.1", "op.acc.4.aws.iam.3" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** are assessed for enrollment as **Systems Manager managed nodes**. Running instances lacking Systems Manager registration are marked as unmanaged; instances in `stopped`, `terminated`, or `pending` states are noted separately.", "title": "EC2 instance is managed by AWS Systems Manager or not running", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Patch Management" ], "uid": "prowler-aws-ec2_instance_managed_by_ssm-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enroll all instances as **Systems Manager managed nodes**. Prefer **Session Manager** over SSH/RDP, restrict inbound admin ports, and use **least privilege** roles. Ensure connectivity to SSM endpoints (or private endpoints), automate patching and inventory, and monitor activity for defense-in-depth.", "references": [ "https://hub.prowler.com/check/ec2_instance_managed_by_ssm" ] }, "risk_details": "Unmanaged instances lack centralized patching, inventory, and secure remote access. This increases exposure to brute force on SSH/RDP, delayed patching, and poor visibility. Exploits can enable lateral movement and persistence, degrading confidentiality, integrity, and availability.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EC2 Instance i-0dfacf8d3e903db17 is unmanaged by Systems Manager because it is terminated.", "metadata": { "event_code": "ec2_instance_managed_by_ssm", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "EC2 Instance i-0dfacf8d3e903db17 is unmanaged by Systems Manager because it is terminated.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "node-security" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/SSM/ssm-managed-instances.html", "https://docs.aws.amazon.com/systems-manager/latest/userguide/managed_instances.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_5_ii_b" ], "FedRAMP-Low-Revision-4": [ "cm-8", "sa-3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt", "ksi-piy" ], "NIST-800-53-Revision-5": [ "cm_2_a", "cm_2_b", "cm_2_b_1", "cm_2_b_2", "cm_2_b_3", "cm_2_2", "cm_3_3", "cm_6", "cm_8_1", "cm_8_2", "cm_8_3_a", "cm_8_6", "cm_8_a", "cm_8_a_1", "cm_8_a_2", "cm_8_a_3", "cm_8_a_4", "cm_8_a_5", "cm_8_b", "si_3_c_2" ], "RBI-Cyber-Security-Framework": [ "annex_i_1_1" ], "CSA-CCM-4.0": [ "IVS-04" ], "CISA": [ "your-systems-1" ], "FFIEC": [ "d1-g-it-b-1", "d3-pc-im-b-5" ], "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC01-BP06", "SEC06-BP04", "SEC06-BP05" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "SOC2": [ "cc_3_2", "cc_7_1" ], "ISO27001-2022": [ "A.5.26" ], "AWS-Foundational-Security-Best-Practices": [ "SSM.1" ], "SecNumCloud-3.2": [ "8.1", "12.10", "12.12" ], "NIST-800-53-Revision-4": [ "cm_2", "cm_7", "cm_8_1", "cm_8_3", "sa_3", "sa_10", "si_2_2", "si_7_1" ], "NIST-CSF-1.1": [ "am_1", "am_2", "ds_3", "ds_7", "ds_8", "ip_1", "ip_2", "ip_12" ], "NIST-CSF-2.0": [ "ac_3" ], "FedRamp-Moderate-Revision-4": [ "cm-2", "cm-7-a", "cm-8-1", "cm-8-3-a", "sa-3-a", "sa-10", "si-2-2", "si-7-1" ], "GxP-21-CFR-Part-11": [ "11.10-a", "11.10-h" ], "NIST-800-171-Revision-2": [ "3_4_1", "3_4_2", "3_4_6", "3_4_9", "3_14_2" ], "ENS-RD2022": [ "op.acc.4.aws.iam.6", "op.acc.4.aws.sys.1", "op.exp.1.aws.sys.1", "op.exp.4.aws.sys.2", "op.exp.4.r2.aws.sys.1", "op.exp.9.aws.img.1", "op.acc.4.aws.iam.3" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** are assessed for enrollment as **Systems Manager managed nodes**. Running instances lacking Systems Manager registration are marked as unmanaged; instances in `stopped`, `terminated`, or `pending` states are noted separately.", "title": "EC2 instance is managed by AWS Systems Manager or not running", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Patch Management" ], "uid": "prowler-aws-ec2_instance_managed_by_ssm-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enroll all instances as **Systems Manager managed nodes**. Prefer **Session Manager** over SSH/RDP, restrict inbound admin ports, and use **least privilege** roles. Ensure connectivity to SSM endpoints (or private endpoints), automate patching and inventory, and monitor activity for defense-in-depth.", "references": [ "https://hub.prowler.com/check/ec2_instance_managed_by_ssm" ] }, "risk_details": "Unmanaged instances lack centralized patching, inventory, and secure remote access. This increases exposure to brute force on SSH/RDP, delayed patching, and poor visibility. Exploits can enable lateral movement and persistence, degrading confidentiality, integrity, and availability.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EC2 Instance i-076e34b1bed03e4eb is not running.", "metadata": { "event_code": "ec2_instance_older_than_specific_days", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "EC2 Instance i-076e34b1bed03e4eb is not running.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/systems-manager/latest/userguide/viewing-patch-compliance-results.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/ec2-instance-too-old.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_b" ], "FedRAMP-Low-Revision-4": [ "cm-2" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt" ], "NIST-800-53-Revision-5": [ "cm_2_a", "cm_2_b", "cm_2_b_1", "cm_2_b_2", "cm_2_b_3", "cm_2_2", "cm_3_3", "cm_8_6" ], "CISA": [ "your-systems-1" ], "FFIEC": [ "d1-g-it-b-1" ], "KISA-ISMS-P-2023-korean": [ "2.9.2" ], "KISA-ISMS-P-2023": [ "2.9.2" ], "ISO27001-2022": [ "A.8.10" ], "AWS-Foundational-Security-Best-Practices": [ "EC2.4" ], "NIST-800-53-Revision-4": [ "cm_2" ], "NIST-CSF-1.1": [ "ds_7", "ip_1" ], "FedRamp-Moderate-Revision-4": [ "cm-2" ], "GxP-21-CFR-Part-11": [ "11.10-a" ], "NIST-800-171-Revision-2": [ "3_4_1", "3_4_2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** are evaluated for age while in `running` state. Instances launched beyond the configurable limit (`max_ec2_instance_age_in_days`, default `180`) are flagged as older than the allowed lifetime. Stopped instances are ignored.", "title": "EC2 instance is not older than the configured maximum age or is not running", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Patch Management" ], "uid": "prowler-aws-ec2_instance_older_than_specific_days-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Adopt **short-lived, patched workloads**:\n- Rebuild regularly from hardened, updated images; rotate AMIs\n- Use centralized patch management and vulnerability scanning\n- Retire or modernize legacy hosts; tag for lifecycle\n- Apply **least privilege** and **defense in depth** to limit blast radius\n\nAdjust `max_ec2_instance_age_in_days` to match policy.", "references": [ "https://hub.prowler.com/check/ec2_instance_older_than_specific_days" ] }, "risk_details": "Long-lived instances often run **unpatched OS and agents**, enabling:\n- Exploitation of known CVEs loss of confidentiality\n- Privilege escalation and tampering integrity compromise\n- Malware/crypto-mining and instability reduced availability\n\nAged hosts also drift from baselines and impede response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EC2 Instance i-0dfacf8d3e903db17 is not running.", "metadata": { "event_code": "ec2_instance_older_than_specific_days", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "EC2 Instance i-0dfacf8d3e903db17 is not running.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/systems-manager/latest/userguide/viewing-patch-compliance-results.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/ec2-instance-too-old.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_b" ], "FedRAMP-Low-Revision-4": [ "cm-2" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-cmt" ], "NIST-800-53-Revision-5": [ "cm_2_a", "cm_2_b", "cm_2_b_1", "cm_2_b_2", "cm_2_b_3", "cm_2_2", "cm_3_3", "cm_8_6" ], "CISA": [ "your-systems-1" ], "FFIEC": [ "d1-g-it-b-1" ], "KISA-ISMS-P-2023-korean": [ "2.9.2" ], "KISA-ISMS-P-2023": [ "2.9.2" ], "ISO27001-2022": [ "A.8.10" ], "AWS-Foundational-Security-Best-Practices": [ "EC2.4" ], "NIST-800-53-Revision-4": [ "cm_2" ], "NIST-CSF-1.1": [ "ds_7", "ip_1" ], "FedRamp-Moderate-Revision-4": [ "cm-2" ], "GxP-21-CFR-Part-11": [ "11.10-a" ], "NIST-800-171-Revision-2": [ "3_4_1", "3_4_2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** are evaluated for age while in `running` state. Instances launched beyond the configurable limit (`max_ec2_instance_age_in_days`, default `180`) are flagged as older than the allowed lifetime. Stopped instances are ignored.", "title": "EC2 instance is not older than the configured maximum age or is not running", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Patch Management" ], "uid": "prowler-aws-ec2_instance_older_than_specific_days-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Adopt **short-lived, patched workloads**:\n- Rebuild regularly from hardened, updated images; rotate AMIs\n- Use centralized patch management and vulnerability scanning\n- Retire or modernize legacy hosts; tag for lifecycle\n- Apply **least privilege** and **defense in depth** to limit blast radius\n\nAdjust `max_ec2_instance_age_in_days` to match policy.", "references": [ "https://hub.prowler.com/check/ec2_instance_older_than_specific_days" ] }, "risk_details": "Long-lived instances often run **unpatched OS and agents**, enabling:\n- Exploitation of known CVEs loss of confidentiality\n- Privilege escalation and tampering integrity compromise\n- Malware/crypto-mining and instability reduced availability\n\nAged hosts also drift from baselines and impede response.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have Cassandra ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_cassandra_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have Cassandra ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000127020-ensure-security-groups-do-not-allow-unrestricted-ingress-access-to-cassandra-ports-7199-or-9160-or-88" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.4", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** have **Cassandra service ports** (`7000`, `7001`, `7199`, `9042`, `9160`) reachable from the Internet through security group ingress.\n\nPublic IP presence and subnet exposure are considered to assess external reachability.", "title": "EC2 instance does not have Cassandra ports (TCP 7000, 7001, 7199, 9042, 9160) open to the Internet", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "TTPs/Initial Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_cassandra_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege network access**:\n- Remove `0.0.0.0/0` and `::/0` to Cassandra ports\n- Allow only trusted subnets or VPN/bastion\n- Keep nodes in private subnets; segment inter-node traffic\n- Enforce **authentication** and **TLS/mTLS** for clients and JMX\n- Add **defense in depth** with NACLs and monitoring", "references": [ "https://hub.prowler.com/check/ec2_instance_port_cassandra_exposed_to_internet" ] }, "risk_details": "Internet-exposed Cassandra enables unauthorized queries on `9042`, remote management via `7199` (JMX), and tampering with inter-node channels on `7000/7001` and `9160`.\n\nAttackers can read/modify data (**confidentiality, integrity**), disrupt or take over the cluster (**availability**), and pivot within the VPC.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have Cassandra ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_cassandra_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have Cassandra ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000127020-ensure-security-groups-do-not-allow-unrestricted-ingress-access-to-cassandra-ports-7199-or-9160-or-88" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.4", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** have **Cassandra service ports** (`7000`, `7001`, `7199`, `9042`, `9160`) reachable from the Internet through security group ingress.\n\nPublic IP presence and subnet exposure are considered to assess external reachability.", "title": "EC2 instance does not have Cassandra ports (TCP 7000, 7001, 7199, 9042, 9160) open to the Internet", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "TTPs/Initial Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_cassandra_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege network access**:\n- Remove `0.0.0.0/0` and `::/0` to Cassandra ports\n- Allow only trusted subnets or VPN/bastion\n- Keep nodes in private subnets; segment inter-node traffic\n- Enforce **authentication** and **TLS/mTLS** for clients and JMX\n- Add **defense in depth** with NACLs and monitoring", "references": [ "https://hub.prowler.com/check/ec2_instance_port_cassandra_exposed_to_internet" ] }, "risk_details": "Internet-exposed Cassandra enables unauthorized queries on `9042`, remote management via `7199` (JMX), and tampering with inter-node channels on `7000/7001` and `9160`.\n\nAttackers can read/modify data (**confidentiality, integrity**), disrupt or take over the cluster (**availability**), and pivot within the VPC.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have CIFS ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_cifs_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have CIFS ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-cifs-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "CIS-6.0": [ "6.1.2" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "CIS-4.0.1": [ "5.1.2" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "CIS-5.0": [ "5.1.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security groups permitting **inbound** TCP `139` or `445` (**CIFS/SMB**) from `0.0.0.0/0` are identified.\n\nExposure level reflects whether the instance has a **public IP** and the subnet's Internet reachability.", "title": "EC2 instance does not allow Internet ingress to TCP ports 139 or 445 (CIFS)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_cifs_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Restrict **CIFS/SMB** to trusted internal sources using **least privilege**; do not allow `0.0.0.0/0`.\n\nAdopt **defense in depth**: place hosts in private subnets, require **VPN** or controlled jump paths, and enforce **segmentation**. Disable SMB if unnecessary or use alternatives (e.g., SFTP). Require strong auth and SMB signing.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_cifs_exposed_to_internet" ] }, "risk_details": "Publicly reachable **SMB** allows unauthorized access and **remote code execution**, enabling credential theft, NTLM relay, and share enumeration. Attackers can exfiltrate files, tamper or delete data, and spread **ransomware**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have CIFS ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_cifs_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have CIFS ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-cifs-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "CIS-6.0": [ "6.1.2" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "CIS-4.0.1": [ "5.1.2" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "CIS-5.0": [ "5.1.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security groups permitting **inbound** TCP `139` or `445` (**CIFS/SMB**) from `0.0.0.0/0` are identified.\n\nExposure level reflects whether the instance has a **public IP** and the subnet's Internet reachability.", "title": "EC2 instance does not allow Internet ingress to TCP ports 139 or 445 (CIFS)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_cifs_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Restrict **CIFS/SMB** to trusted internal sources using **least privilege**; do not allow `0.0.0.0/0`.\n\nAdopt **defense in depth**: place hosts in private subnets, require **VPN** or controlled jump paths, and enforce **segmentation**. Disable SMB if unnecessary or use alternatives (e.g., SFTP). Require strong auth and SMB signing.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_cifs_exposed_to_internet" ] }, "risk_details": "Publicly reachable **SMB** allows unauthorized access and **remote code execution**, enabling credential theft, NTLM relay, and share enumeration. Attackers can exfiltrate files, tamper or delete data, and spread **ransomware**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have Elasticsearch/Kibana ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_elasticsearch_kibana_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have Elasticsearch/Kibana ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000233821-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-elasticsearch-and-kibana-ports-tcp-9200-" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.6.3", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.6.3", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with **Elasticsearch/Kibana ports** (`9200`, `9300`, `5601`) exposed to the Internet through inbound security group rules.\n\nAssesses reachability considering instance public IP and subnet to reflect real exposure.", "title": "EC2 instance does not allow ingress from the Internet to Elasticsearch and Kibana ports (TCP 9200, 9300, 5601)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_elasticsearch_kibana_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** to network exposure:\n- Restrict `9200`, `9300`, `5601` to trusted sources or keep them private\n- Use **private subnets**, **VPN/peering**, or **bastion/SSM** for admin access\n- Enforce **authentication** and **TLS** on Elasticsearch/Kibana\n- Avoid public IPs unless strictly required", "references": [ "https://hub.prowler.com/check/ec2_instance_port_elasticsearch_kibana_exposed_to_internet" ] }, "risk_details": "Public access to Elasticsearch/Kibana can lead to:\n- Unauthorized queries or dashboard viewing confidentiality loss\n- Index changes or cluster control via `9300` integrity impact\n- Scans and bulk queries availability degradation\n\nEnables data exfiltration and lateral movement.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have Elasticsearch/Kibana ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_elasticsearch_kibana_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have Elasticsearch/Kibana ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000233821-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-elasticsearch-and-kibana-ports-tcp-9200-" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.6.3", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.6.3", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with **Elasticsearch/Kibana ports** (`9200`, `9300`, `5601`) exposed to the Internet through inbound security group rules.\n\nAssesses reachability considering instance public IP and subnet to reflect real exposure.", "title": "EC2 instance does not allow ingress from the Internet to Elasticsearch and Kibana ports (TCP 9200, 9300, 5601)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_elasticsearch_kibana_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** to network exposure:\n- Restrict `9200`, `9300`, `5601` to trusted sources or keep them private\n- Use **private subnets**, **VPN/peering**, or **bastion/SSM** for admin access\n- Enforce **authentication** and **TLS** on Elasticsearch/Kibana\n- Avoid public IPs unless strictly required", "references": [ "https://hub.prowler.com/check/ec2_instance_port_elasticsearch_kibana_exposed_to_internet" ] }, "risk_details": "Public access to Elasticsearch/Kibana can lead to:\n- Unauthorized queries or dashboard viewing confidentiality loss\n- Index changes or cluster control via `9300` integrity impact\n- Scans and bulk queries availability degradation\n\nEnables data exfiltration and lateral movement.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have FTP ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_ftp_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have FTP ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-ftp-access.html", "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security groups permitting inbound **FTP** on `TCP 20-21` from any address (e.g., `0.0.0.0/0` or `::/0`) are identified.\n\nExposure is contextualized by the instance's public reachability (public IP and subnet).", "title": "EC2 instance does not allow ingress from the Internet to TCP ports 20 or 21 (FTP)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_ftp_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Deny public ingress to **FTP** ports `20-21` following **least privilege**. Prefer **SFTP** or **FTPS**; if transfers are required, restrict to trusted sources and use private access (VPN or dedicated network). Apply **defense in depth** with tightened security groups and network ACLs, and monitor authentication and access.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_ftp_exposed_to_internet" ] }, "risk_details": "Exposed **FTP** invites Internet brute force and transmits in cleartext, enabling credential theft and packet sniffing (**confidentiality**).\n\nAttackers can upload/alter files (**integrity**) and abuse services for malware staging or DoS (**availability**). Publicly reachable hosts are rapidly probed by scanners.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have FTP ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_ftp_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have FTP ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-ftp-access.html", "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security groups permitting inbound **FTP** on `TCP 20-21` from any address (e.g., `0.0.0.0/0` or `::/0`) are identified.\n\nExposure is contextualized by the instance's public reachability (public IP and subnet).", "title": "EC2 instance does not allow ingress from the Internet to TCP ports 20 or 21 (FTP)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_ftp_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Deny public ingress to **FTP** ports `20-21` following **least privilege**. Prefer **SFTP** or **FTPS**; if transfers are required, restrict to trusted sources and use private access (VPN or dedicated network). Apply **defense in depth** with tightened security groups and network ACLs, and monitor authentication and access.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_ftp_exposed_to_internet" ] }, "risk_details": "Exposed **FTP** invites Internet brute force and transmits in cleartext, enabling credential theft and packet sniffing (**confidentiality**).\n\nAttackers can upload/alter files (**integrity**) and abuse services for malware staging or DoS (**availability**). Publicly reachable hosts are rapidly probed by scanners.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have Kafka port 9092 open to the Internet.", "metadata": { "event_code": "ec2_instance_port_kafka_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have Kafka port 9092 open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000233794-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-tcp-port-9092-kafka-" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security group rules that allow inbound `TCP 9092` (Kafka) from the Internet are reported. The evaluation inspects ingress rules to detect broad sources (for example `0.0.0.0/0` or `::/0`) that expose Kafka brokers.", "title": "EC2 instance does not allow ingress from the Internet to TCP port 9092 (Kafka)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_kafka_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege**: restrict `TCP 9092` to trusted networks, not `0.0.0.0/0` or `::/0`. Keep brokers in private subnets and use private connectivity (VPN/peering). Enforce **TLS** and authenticated clients with granular ACLs, and add **defense in depth** via NACLs or proxies.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_kafka_exposed_to_internet" ] }, "risk_details": "Public Kafka access undermines CIA: adversaries can read topics and metadata (**confidentiality**), publish or alter events (**integrity**), and overwhelm brokers (**availability**). Exposure also eases reconnaissance and lateral movement from the broker host.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have Kafka port 9092 open to the Internet.", "metadata": { "event_code": "ec2_instance_port_kafka_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have Kafka port 9092 open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000233794-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-tcp-port-9092-kafka-" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security group rules that allow inbound `TCP 9092` (Kafka) from the Internet are reported. The evaluation inspects ingress rules to detect broad sources (for example `0.0.0.0/0` or `::/0`) that expose Kafka brokers.", "title": "EC2 instance does not allow ingress from the Internet to TCP port 9092 (Kafka)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_kafka_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege**: restrict `TCP 9092` to trusted networks, not `0.0.0.0/0` or `::/0`. Keep brokers in private subnets and use private connectivity (VPN/peering). Enforce **TLS** and authenticated clients with granular ACLs, and add **defense in depth** via NACLs or proxies.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_kafka_exposed_to_internet" ] }, "risk_details": "Public Kafka access undermines CIA: adversaries can read topics and metadata (**confidentiality**), publish or alter events (**integrity**), and overwhelm brokers (**availability**). Exposure also eases reconnaissance and lateral movement from the broker host.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have Kerberos ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_kerberos_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have Kerberos ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000233825-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-tcp-port-88-464-749-or-750-kerberos-" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** whose security groups allow public **inbound TCP** access to Kerberos ports `88`, `464`, `749`, or `750` (authentication, password change, admin).\n\nRules permitting `0.0.0.0/0` or `::/0` are treated as Internet-exposed.", "title": "EC2 instance does not allow ingress from the Internet to TCP ports 88, 464, 749, or 750 (Kerberos)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-ec2_instance_port_kerberos_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Restrict Kerberos ports to trusted sources only.\n- Prefer **private connectivity** (VPN, peering) over public exposure\n- Place KDCs/services in private subnets without public IPs\n- Apply **least privilege** with narrowly scoped security group rules and NACLs\n- Add defense-in-depth: host firewalls and monitor authentication activity", "references": [ "https://hub.prowler.com/check/ec2_instance_port_kerberos_exposed_to_internet" ] }, "risk_details": "Public Kerberos exposure risks CIA:\n- **Password spraying**/AS-REP roasting against accounts\n- Unauthorized password changes on `464`\n- Realm/user enumeration and DoS of KDC/services\n\nStolen tickets enable **lateral movement** and privilege escalation in Active Directory or the Kerberos realm.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have Kerberos ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_kerberos_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have Kerberos ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000233825-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-tcp-port-88-464-749-or-750-kerberos-" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** whose security groups allow public **inbound TCP** access to Kerberos ports `88`, `464`, `749`, or `750` (authentication, password change, admin).\n\nRules permitting `0.0.0.0/0` or `::/0` are treated as Internet-exposed.", "title": "EC2 instance does not allow ingress from the Internet to TCP ports 88, 464, 749, or 750 (Kerberos)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-ec2_instance_port_kerberos_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Restrict Kerberos ports to trusted sources only.\n- Prefer **private connectivity** (VPN, peering) over public exposure\n- Place KDCs/services in private subnets without public IPs\n- Apply **least privilege** with narrowly scoped security group rules and NACLs\n- Add defense-in-depth: host firewalls and monitor authentication activity", "references": [ "https://hub.prowler.com/check/ec2_instance_port_kerberos_exposed_to_internet" ] }, "risk_details": "Public Kerberos exposure risks CIA:\n- **Password spraying**/AS-REP roasting against accounts\n- Unauthorized password changes on `464`\n- Realm/user enumeration and DoS of KDC/services\n\nStolen tickets enable **lateral movement** and privilege escalation in Active Directory or the Kerberos realm.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have LDAP ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_ldap_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have LDAP ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security groups permitting Internet-sourced access to **LDAP** on `TCP 389` or **LDAPS** on `TCP 636` are identified.\n\nPublic exposure context (presence of public IP and subnet reachability) is considered to gauge how broadly these ports can be accessed.", "title": "EC2 instance does not allow ingress from the Internet to TCP ports 389 or 636 (LDAP/LDAPS)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-ec2_instance_port_ldap_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Limit LDAP to trusted networks:\n- Allowlist specific source CIDRs in security groups (*least privilege*)\n- Use **private connectivity** (peering/VPN) instead of Internet\n- Require **LDAPS**, strong certificates, and disable insecure binds\n- Add NACLs and monitoring for defense in depth\n\n*If external access is required*, place a proxy and enforce rate limits.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_ldap_exposed_to_internet" ] }, "risk_details": "Publicly reachable **LDAP/LDAPS** enables:\n- Directory enumeration and weak/anonymous bind attempts\n- **Password spraying** and credential theft (cleartext on `389`)\n- Unauthorized queries causing **data exfiltration**\n\nAbuse may lead to **privilege escalation** and availability impact via account lockouts.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have LDAP ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_ldap_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have LDAP ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security groups permitting Internet-sourced access to **LDAP** on `TCP 389` or **LDAPS** on `TCP 636` are identified.\n\nPublic exposure context (presence of public IP and subnet reachability) is considered to gauge how broadly these ports can be accessed.", "title": "EC2 instance does not allow ingress from the Internet to TCP ports 389 or 636 (LDAP/LDAPS)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-ec2_instance_port_ldap_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Limit LDAP to trusted networks:\n- Allowlist specific source CIDRs in security groups (*least privilege*)\n- Use **private connectivity** (peering/VPN) instead of Internet\n- Require **LDAPS**, strong certificates, and disable insecure binds\n- Add NACLs and monitoring for defense in depth\n\n*If external access is required*, place a proxy and enforce rate limits.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_ldap_exposed_to_internet" ] }, "risk_details": "Publicly reachable **LDAP/LDAPS** enables:\n- Directory enumeration and weak/anonymous bind attempts\n- **Password spraying** and credential theft (cleartext on `389`)\n- Unauthorized queries causing **data exfiltration**\n\nAbuse may lead to **privilege escalation** and availability impact via account lockouts.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have Memcached port 11211 open to the Internet.", "metadata": { "event_code": "ec2_instance_port_memcached_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have Memcached port 11211 open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000127021-ensure-security-groups-do-not-allow-unrestricted-ingress-access-to-memcached-port-11211" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.4", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** are evaluated for **open Memcached access**: inbound `TCP 11211` allowed from any address (`0.0.0.0/0` or `::/0`) via their security groups, considering the instance's public exposure.", "title": "EC2 instance does not allow ingress from the Internet to TCP port 11211 (Memcached)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "TTPs/Initial Access" ], "uid": "prowler-aws-ec2_instance_port_memcached_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** on network access:\n- Restrict `TCP 11211` to trusted sources or internal subnets only\n- Place instances in private subnets; avoid public IPs\n- Layer **defense in depth** with NACLs and routing to block Internet paths\n- Prefer private connectivity (peering/VPN) and implement service-level authentication where available", "references": [ "https://hub.prowler.com/check/ec2_instance_port_memcached_exposed_to_internet" ] }, "risk_details": "Internet-exposed **Memcached** weakens:\n- **Availability**: abuse for reflection/amplification and resource exhaustion\n- **Confidentiality**: unauthorized reads of cached objects and metadata\n- **Integrity**: manipulation of cache entries influencing app behavior\n\nPublic reachability also aids reconnaissance and lateral movement.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have Memcached port 11211 open to the Internet.", "metadata": { "event_code": "ec2_instance_port_memcached_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have Memcached port 11211 open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000127021-ensure-security-groups-do-not-allow-unrestricted-ingress-access-to-memcached-port-11211" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.4", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** are evaluated for **open Memcached access**: inbound `TCP 11211` allowed from any address (`0.0.0.0/0` or `::/0`) via their security groups, considering the instance's public exposure.", "title": "EC2 instance does not allow ingress from the Internet to TCP port 11211 (Memcached)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "TTPs/Initial Access" ], "uid": "prowler-aws-ec2_instance_port_memcached_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** on network access:\n- Restrict `TCP 11211` to trusted sources or internal subnets only\n- Place instances in private subnets; avoid public IPs\n- Layer **defense in depth** with NACLs and routing to block Internet paths\n- Prefer private connectivity (peering/VPN) and implement service-level authentication where available", "references": [ "https://hub.prowler.com/check/ec2_instance_port_memcached_exposed_to_internet" ] }, "risk_details": "Internet-exposed **Memcached** weakens:\n- **Availability**: abuse for reflection/amplification and resource exhaustion\n- **Confidentiality**: unauthorized reads of cached objects and metadata\n- **Integrity**: manipulation of cache entries influencing app behavior\n\nPublic reachability also aids reconnaissance and lateral movement.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have MongoDB ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_mongodb_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have MongoDB ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000233752-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-tcp-port-27017-or-27018-mongodb-" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.4", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security groups permitting inbound `TCP 27017` or `27018` (MongoDB) from `0.0.0.0/0` or `::/0` are identified, factoring the instance's public reachability to gauge exposure.", "title": "EC2 instance does not allow ingress from the Internet to TCP ports 27017 or 27018 (MongoDB)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_mongodb_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** to MongoDB access:\n- Remove Internet-wide rules; allow only trusted sources\n- Keep DBs on **private subnets** without public IPs; use private connectivity or proxies\n- Enforce strong auth and **TLS**\n- Add segmentation and monitoring for **defense in depth**", "references": [ "https://hub.prowler.com/check/ec2_instance_port_mongodb_exposed_to_internet" ] }, "risk_details": "Internet-exposed MongoDB invites scanning, brute force, and exploits leading to:\n- Data extraction (**confidentiality**)\n- Collection tampering or deletion (**integrity**)\n- DoS or ransomware disruptions (**availability**)\nA compromised DB host can also enable lateral movement within the environment.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have MongoDB ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_mongodb_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have MongoDB ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000233752-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-tcp-port-27017-or-27018-mongodb-" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.4", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security groups permitting inbound `TCP 27017` or `27018` (MongoDB) from `0.0.0.0/0` or `::/0` are identified, factoring the instance's public reachability to gauge exposure.", "title": "EC2 instance does not allow ingress from the Internet to TCP ports 27017 or 27018 (MongoDB)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_mongodb_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** to MongoDB access:\n- Remove Internet-wide rules; allow only trusted sources\n- Keep DBs on **private subnets** without public IPs; use private connectivity or proxies\n- Enforce strong auth and **TLS**\n- Add segmentation and monitoring for **defense in depth**", "references": [ "https://hub.prowler.com/check/ec2_instance_port_mongodb_exposed_to_internet" ] }, "risk_details": "Internet-exposed MongoDB invites scanning, brute force, and exploits leading to:\n- Data extraction (**confidentiality**)\n- Collection tampering or deletion (**integrity**)\n- DoS or ransomware disruptions (**availability**)\nA compromised DB host can also enable lateral movement within the environment.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have MySQL port 3306 open to the Internet.", "metadata": { "event_code": "ec2_instance_port_mysql_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have MySQL port 3306 open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-mysql-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.4", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security groups that expose **MySQL** on `TCP 3306` to the Internet (`0.0.0.0/0` or `::/0`) are identified, with context on public IP and subnet exposure.", "title": "EC2 instance does not allow ingress from the Internet to TCP port 3306 (MySQL)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_mysql_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Restrict `TCP 3306` to trusted sources per **least privilege**:\n- Allow DB access only from specific application subnets or security groups\n- Place database hosts in private subnets without public IPs\n- Apply **defense in depth** with VPN/peering for admin access, TLS for connections, and host firewalls; optionally reinforce with NACLs", "references": [ "https://hub.prowler.com/check/ec2_instance_port_mysql_exposed_to_internet" ] }, "risk_details": "Publicly reachable **MySQL** enables Internet scanning, brute force, and credential stuffing, leading to unauthorized queries and data dumps (**confidentiality**). Attackers can alter or delete data (**integrity**), overload the service with query floods (**availability**), and pivot from the DB host into adjacent workloads.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have MySQL port 3306 open to the Internet.", "metadata": { "event_code": "ec2_instance_port_mysql_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have MySQL port 3306 open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-mysql-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.4", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security groups that expose **MySQL** on `TCP 3306` to the Internet (`0.0.0.0/0` or `::/0`) are identified, with context on public IP and subnet exposure.", "title": "EC2 instance does not allow ingress from the Internet to TCP port 3306 (MySQL)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_mysql_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Restrict `TCP 3306` to trusted sources per **least privilege**:\n- Allow DB access only from specific application subnets or security groups\n- Place database hosts in private subnets without public IPs\n- Apply **defense in depth** with VPN/peering for admin access, TLS for connections, and host firewalls; optionally reinforce with NACLs", "references": [ "https://hub.prowler.com/check/ec2_instance_port_mysql_exposed_to_internet" ] }, "risk_details": "Publicly reachable **MySQL** enables Internet scanning, brute force, and credential stuffing, leading to unauthorized queries and data dumps (**confidentiality**). Attackers can alter or delete data (**integrity**), overload the service with query floods (**availability**), and pivot from the DB host into adjacent workloads.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have Oracle ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_oracle_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have Oracle ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-oracle-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.4", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security groups allowing inbound `TCP` from any address to Oracle listener ports `1521`, `2483`, or `2484`", "title": "EC2 instance does not allow ingress from the Internet to TCP ports 1521, 2483, or 2484 (Oracle)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_oracle_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Restrict Oracle ports to trusted sources; remove `0.0.0.0/0` and `::/0`. Place databases in private subnets without public IPs. Use VPN/Direct Connect or bastions for access. Enable TLS on `2484`, strong auth, and apply **least privilege** rules with **defense in depth** using NACLs and monitoring.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_oracle_exposed_to_internet" ] }, "risk_details": "Exposed Oracle listener ports enable SID enumeration, credential brute force, and TNS abuse. A successful intrusion can grant database access, causing data exfiltration (C), unauthorized changes (I), and outages via exploits or DoS (A). Internet scanning quickly finds these endpoints, enlarging the attack surface.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have Oracle ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_oracle_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have Oracle ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-oracle-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.4", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security groups allowing inbound `TCP` from any address to Oracle listener ports `1521`, `2483`, or `2484`", "title": "EC2 instance does not allow ingress from the Internet to TCP ports 1521, 2483, or 2484 (Oracle)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_oracle_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Restrict Oracle ports to trusted sources; remove `0.0.0.0/0` and `::/0`. Place databases in private subnets without public IPs. Use VPN/Direct Connect or bastions for access. Enable TLS on `2484`, strong auth, and apply **least privilege** rules with **defense in depth** using NACLs and monitoring.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_oracle_exposed_to_internet" ] }, "risk_details": "Exposed Oracle listener ports enable SID enumeration, credential brute force, and TNS abuse. A successful intrusion can grant database access, causing data exfiltration (C), unauthorized changes (I), and outages via exploits or DoS (A). Internet scanning quickly finds these endpoints, enlarging the attack surface.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have PostgreSQL port 5432 open to the Internet.", "metadata": { "event_code": "ec2_instance_port_postgresql_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have PostgreSQL port 5432 open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-postgresql-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.4", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security group rules allowing inbound **PostgreSQL** on `TCP 5432` from the Internet (`0.0.0.0/0` or `::/0`) are identified, considering the instance's public reachability via IP and subnet.", "title": "EC2 instance does not allow ingress from the Internet to TCP port 5432 (PostgreSQL)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_postgresql_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Restrict PostgreSQL to trusted sources only:\n- Remove `0.0.0.0/0` and `::/0` rules\n- Apply **least privilege** security groups (allow from app tier or VPN)\n- Place instances in private subnets without public IPs\n- Enforce **TLS** and strong auth; disable unused listeners\n- Layer with NACLs and monitoring for **defense in depth**", "references": [ "https://hub.prowler.com/check/ec2_instance_port_postgresql_exposed_to_internet" ] }, "risk_details": "Exposed `TCP 5432` enables unauthenticated Internet probes and **brute-force** attempts against PostgreSQL, risking database **confidentiality**, **integrity**, and **availability**. Attackers could dump data, alter schemas, create backdoor accounts, pivot within the VPC, or exploit unpatched flaws at scale.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have PostgreSQL port 5432 open to the Internet.", "metadata": { "event_code": "ec2_instance_port_postgresql_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have PostgreSQL port 5432 open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-postgresql-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.4", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security group rules allowing inbound **PostgreSQL** on `TCP 5432` from the Internet (`0.0.0.0/0` or `::/0`) are identified, considering the instance's public reachability via IP and subnet.", "title": "EC2 instance does not allow ingress from the Internet to TCP port 5432 (PostgreSQL)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_postgresql_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Restrict PostgreSQL to trusted sources only:\n- Remove `0.0.0.0/0` and `::/0` rules\n- Apply **least privilege** security groups (allow from app tier or VPN)\n- Place instances in private subnets without public IPs\n- Enforce **TLS** and strong auth; disable unused listeners\n- Layer with NACLs and monitoring for **defense in depth**", "references": [ "https://hub.prowler.com/check/ec2_instance_port_postgresql_exposed_to_internet" ] }, "risk_details": "Exposed `TCP 5432` enables unauthenticated Internet probes and **brute-force** attempts against PostgreSQL, risking database **confidentiality**, **integrity**, and **availability**. Attackers could dump data, alter schemas, create backdoor accounts, pivot within the VPC, or exploit unpatched flaws at scale.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have RDP port 3389 open to the Internet.", "metadata": { "event_code": "ec2_instance_port_rdp_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have RDP port 3389 open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000233789-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-tcp-port-3389-rdp-", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-rdp-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "NIST-CSF-2.0": [ "ac_3" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** whose security groups allow Internet-wide inbound **RDP** on `TCP 3389` (`0.0.0.0/0` or `::/0`). The instance's public IP and subnet routing are considered to determine external reachability.", "title": "EC2 instance does not allow ingress from the Internet to TCP port 3389 (RDP)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access/External Remote Services" ], "uid": "prowler-aws-ec2_instance_port_rdp_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Remove Internet-wide RDP. Apply **least privilege**:\n- Restrict `TCP 3389` to trusted IPs\n- Prefer private access via **VPN** or a hardened **bastion**; consider **Session Manager**\n- Use **just-in-time** access and short-lived rules\n- Enforce strong auth (e.g., NLA) and monitor logs\nAdopt **defense in depth** with layered network controls.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_rdp_exposed_to_internet" ] }, "risk_details": "Internet-exposed **RDP** allows:\n- **Brute force** and credential reuse on Windows logons\n- Exploitation of RDP flaws for remote code execution\n- **Lateral movement** and data exfiltration\nThis threatens **confidentiality**, **integrity**, and **availability** through data theft, tampering, account lockouts, or ransomware.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have RDP port 3389 open to the Internet.", "metadata": { "event_code": "ec2_instance_port_rdp_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have RDP port 3389 open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000233789-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-tcp-port-3389-rdp-", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-rdp-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "NIST-CSF-2.0": [ "ac_3" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** whose security groups allow Internet-wide inbound **RDP** on `TCP 3389` (`0.0.0.0/0` or `::/0`). The instance's public IP and subnet routing are considered to determine external reachability.", "title": "EC2 instance does not allow ingress from the Internet to TCP port 3389 (RDP)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access/External Remote Services" ], "uid": "prowler-aws-ec2_instance_port_rdp_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Remove Internet-wide RDP. Apply **least privilege**:\n- Restrict `TCP 3389` to trusted IPs\n- Prefer private access via **VPN** or a hardened **bastion**; consider **Session Manager**\n- Use **just-in-time** access and short-lived rules\n- Enforce strong auth (e.g., NLA) and monitor logs\nAdopt **defense in depth** with layered network controls.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_rdp_exposed_to_internet" ] }, "risk_details": "Internet-exposed **RDP** allows:\n- **Brute force** and credential reuse on Windows logons\n- Exploitation of RDP flaws for remote code execution\n- **Lateral movement** and data exfiltration\nThis threatens **confidentiality**, **integrity**, and **availability** through data theft, tampering, account lockouts, or ransomware.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have Redis port 6379 open to the Internet.", "metadata": { "event_code": "ec2_instance_port_redis_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have Redis port 6379 open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000233806-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-tcp-port-6379-redis-", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-redis-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.4", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security groups permitting Internet access to **Redis** on `TCP 6379` are identified.\n\nExposure is assessed using public IP assignment and subnet reachability to reflect how broadly the service can be contacted.", "title": "EC2 instance does not allow ingress from the Internet to TCP port 6379 (Redis)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_redis_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** network access: restrict Redis to trusted sources or VPC-only, place instances in private subnets, and avoid public IPs.\n\nLayer controls with **NACLs** and host firewalls, enforce **authentication and TLS** on Redis, and use **VPN/bastion** or proxies to broker access.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_redis_exposed_to_internet" ] }, "risk_details": "Exposed **Redis** allows remote access to cached data and secrets, reducing **confidentiality**. Unauthorized commands (`SET`, `DEL`, `FLUSHALL`, config changes) can corrupt or erase data, harming **integrity**. Internet scanning and abuse can exhaust memory and disrupt service, degrading **availability** and enabling lateral movement.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have Redis port 6379 open to the Internet.", "metadata": { "event_code": "ec2_instance_port_redis_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have Redis port 6379 open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000233806-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-tcp-port-6379-redis-", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-redis-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.4", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security groups permitting Internet access to **Redis** on `TCP 6379` are identified.\n\nExposure is assessed using public IP assignment and subnet reachability to reflect how broadly the service can be contacted.", "title": "EC2 instance does not allow ingress from the Internet to TCP port 6379 (Redis)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-ec2_instance_port_redis_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** network access: restrict Redis to trusted sources or VPC-only, place instances in private subnets, and avoid public IPs.\n\nLayer controls with **NACLs** and host firewalls, enforce **authentication and TLS** on Redis, and use **VPN/bastion** or proxies to broker access.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_redis_exposed_to_internet" ] }, "risk_details": "Exposed **Redis** allows remote access to cached data and secrets, reducing **confidentiality**. Unauthorized commands (`SET`, `DEL`, `FLUSHALL`, config changes) can corrupt or erase data, harming **integrity**. Internet scanning and abuse can exhaust memory and disrupt service, degrading **availability** and enabling lateral movement.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have SQL Server ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_sqlserver_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have SQL Server ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000223371-ensure-no-security-groups-allow-ingress-from-0-0-0-0-0-or-0-to-windows-sql-server-ports-1433-or-14", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-mssql-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.4", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security groups permitting any source to `TCP 1433` or `1434` (SQL Server) are identified, considering the instance's public reachability based on IP and subnet exposure.", "title": "EC2 instance does not allow ingress from the Internet to TCP ports 1433 or 1434 (SQL Server)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access" ], "uid": "prowler-aws-ec2_instance_port_sqlserver_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enforce **least privilege** and **defense in depth**:\n- Remove `0.0.0.0/0` and `::/0` to `1433-1434`\n- Allow only trusted IPs or app tiers via security group references\n- Keep databases in private subnets without public IPs; access via VPN or bastion\n- Require TLS and strong authentication; monitor access.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_sqlserver_exposed_to_internet" ] }, "risk_details": "Internet-reachable SQL services enable:\n- Brute-force and credential-stuffing of DB logins\n- Exploitation of SQL Server flaws for remote code execution\n- Unauthorized queries and data exfiltration\nThis threatens **confidentiality** and **integrity**, and facilitates **lateral movement** from the database host.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have SQL Server ports open to the Internet.", "metadata": { "event_code": "ec2_instance_port_sqlserver_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have SQL Server ports open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://support.icompaas.com/support/solutions/articles/62000223371-ensure-no-security-groups-allow-ingress-from-0-0-0-0-0-or-0-to-windows-sql-server-ports-1433-or-14", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-mssql-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.4", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with security groups permitting any source to `TCP 1433` or `1434` (SQL Server) are identified, considering the instance's public reachability based on IP and subnet exposure.", "title": "EC2 instance does not allow ingress from the Internet to TCP ports 1433 or 1434 (SQL Server)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access" ], "uid": "prowler-aws-ec2_instance_port_sqlserver_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enforce **least privilege** and **defense in depth**:\n- Remove `0.0.0.0/0` and `::/0` to `1433-1434`\n- Allow only trusted IPs or app tiers via security group references\n- Keep databases in private subnets without public IPs; access via VPN or bastion\n- Require TLS and strong authentication; monitor access.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_sqlserver_exposed_to_internet" ] }, "risk_details": "Internet-reachable SQL services enable:\n- Brute-force and credential-stuffing of DB logins\n- Exploitation of SQL Server flaws for remote code execution\n- Unauthorized queries and data exfiltration\nThis threatens **confidentiality** and **integrity**, and facilitates **lateral movement** from the database host.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have SSH port 22 open to the Internet.", "metadata": { "event_code": "ec2_instance_port_ssh_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have SSH port 22 open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-ssh-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "CCC-v2025.10": [ "CCC.Core.CN01.AR02" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "NIST-CSF-2.0": [ "ac_3" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with **SSH (TCP 22)** exposed to the Internet via security group inbound rules allowing `0.0.0.0/0` or `::/0`.\n\nExposure is qualified using the instance's public IP status and subnet reachability.", "title": "EC2 instance does not allow ingress from the Internet to TCP port 22 (SSH)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access/External Remote Services" ], "uid": "prowler-aws-ec2_instance_port_ssh_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** on SSH:\n- Restrict ingress to trusted IPs; avoid `0.0.0.0/0` and `::/0`\n- Prefer **Session Manager** or a hardened **bastion** behind VPN\n- Use **key-based auth**; disable passwords\n- Add **defense in depth** with network controls and monitor access logs", "references": [ "https://hub.prowler.com/check/ec2_instance_port_ssh_exposed_to_internet" ] }, "risk_details": "**Internet-exposed SSH** invites **brute force** and **credential stuffing**. A successful sign-in grants **remote shell**, enabling data exfiltration, tampering of workloads, and **lateral movement** within the VPC, degrading confidentiality, integrity, and availability.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have SSH port 22 open to the Internet.", "metadata": { "event_code": "ec2_instance_port_ssh_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have SSH port 22 open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-ssh-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "CCC-v2025.10": [ "CCC.Core.CN01.AR02" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "NIST-CSF-2.0": [ "ac_3" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** with **SSH (TCP 22)** exposed to the Internet via security group inbound rules allowing `0.0.0.0/0` or `::/0`.\n\nExposure is qualified using the instance's public IP status and subnet reachability.", "title": "EC2 instance does not allow ingress from the Internet to TCP port 22 (SSH)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access/External Remote Services" ], "uid": "prowler-aws-ec2_instance_port_ssh_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** on SSH:\n- Restrict ingress to trusted IPs; avoid `0.0.0.0/0` and `::/0`\n- Prefer **Session Manager** or a hardened **bastion** behind VPN\n- Use **key-based auth**; disable passwords\n- Add **defense in depth** with network controls and monitor access logs", "references": [ "https://hub.prowler.com/check/ec2_instance_port_ssh_exposed_to_internet" ] }, "risk_details": "**Internet-exposed SSH** invites **brute force** and **credential stuffing**. A successful sign-in grants **remote shell**, enabling data exfiltration, tampering of workloads, and **lateral movement** within the VPC, degrading confidentiality, integrity, and availability.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-076e34b1bed03e4eb does not have Telnet port 23 open to the Internet.", "metadata": { "event_code": "ec2_instance_port_telnet_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-076e34b1bed03e4eb does not have Telnet port 23 open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-telnet-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "NIST-CSF-2.0": [ "ac_3" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EC2 instances with security groups allowing inbound **Telnet** on `TCP 23` from the Internet are identified, including open IPv4/IPv6 sources like `0.0.0.0/0` and `::/0`.\n\nExposure is evaluated considering public IP assignment and subnet reachability.", "title": "EC2 instance does not allow ingress from the Internet to TCP port 23 (Telnet)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-ec2_instance_port_telnet_exposed_to_internet-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Eliminate Telnet: disable the service and block `TCP 23`.\n\nApply **least privilege** network access-restrict admin connectivity via **SSH** through bastion or **VPN**, keep management paths private, and segregate hosts. Use **defense in depth** with monitoring and strong authentication for any legacy needs.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_telnet_exposed_to_internet" ] }, "risk_details": "Exposed **Telnet** weakens **confidentiality** and **integrity**: credentials and commands are plaintext, enabling interception and session hijacking. Attackers can brute-force to gain shell, run remote commands, exfiltrate data, and pivot laterally, also threatening **availability** through misuse or takeover.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Instance i-0dfacf8d3e903db17 does not have Telnet port 23 open to the Internet.", "metadata": { "event_code": "ec2_instance_port_telnet_exposed_to_internet", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Instance i-0dfacf8d3e903db17 does not have Telnet port 23 open to the Internet.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-telnet-access.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.g" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.1.6" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.6.2", "2.6.6", "2.10.2" ], "SOC2": [ "cc_6_6" ], "C5-2025": [ "PI-01.01AC" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "NIST-CSF-2.0": [ "ac_3" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EC2 instances with security groups allowing inbound **Telnet** on `TCP 23` from the Internet are identified, including open IPv4/IPv6 sources like `0.0.0.0/0` and `::/0`.\n\nExposure is evaluated considering public IP assignment and subnet reachability.", "title": "EC2 instance does not allow ingress from the Internet to TCP port 23 (Telnet)", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-ec2_instance_port_telnet_exposed_to_internet-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Eliminate Telnet: disable the service and block `TCP 23`.\n\nApply **least privilege** network access-restrict admin connectivity via **SSH** through bastion or **VPN**, keep management paths private, and segregate hosts. Use **defense in depth** with monitoring and strong authentication for any legacy needs.", "references": [ "https://hub.prowler.com/check/ec2_instance_port_telnet_exposed_to_internet" ] }, "risk_details": "Exposed **Telnet** weakens **confidentiality** and **integrity**: credentials and commands are plaintext, enabling interception and session hijacking. Attackers can brute-force to gain shell, run remote commands, exfiltrate data, and pivot laterally, also threatening **availability** through misuse or takeover.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EC2 Instance i-076e34b1bed03e4eb has no network interfaces attached.", "metadata": { "event_code": "ec2_instance_uses_single_eni", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "PASS", "status_detail": "EC2 Instance i-076e34b1bed03e4eb has no network interfaces attached.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#detach_eni", "https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-multiple-eni-check.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-17" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "AWS-Foundational-Security-Best-Practices": [ "EC2.17" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** are evaluated for attached network adapters. It identifies instances with more than one `ENI`-including `efa`, `interface`, or `trunk` types-and distinguishes those using a single adapter.", "title": "EC2 instance has no more than one Elastic Network Interface (ENI) attached", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability" ], "uid": "prowler-aws-ec2_instance_uses_single_eni-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Prefer a **single ENI per instance**.\n\nIf multi-homing is unavoidable:\n- Place ENIs in least-privilege subnets/SGs\n- Keep `source/destination check` enabled and routes explicit\n- Use gateways/LBs for NAT or ingress, not the host\n- Monitor flow logs and formally approve exceptions\n\nEmbed **defense in depth** and **zero trust**.", "references": [ "https://hub.prowler.com/check/ec2_instance_uses_single_eni" ] }, "risk_details": "**Multiple ENIs** create dual-homed hosts across subnets and security groups, enabling unintended routing and policy bypass. Adversaries can pivot between segments, use alternate egress for **data exfiltration**, or exploit asymmetric paths, undermining segmentation and **confidentiality/integrity** while complicating containment.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EC2 Instance i-0dfacf8d3e903db17 has no network interfaces attached.", "metadata": { "event_code": "ec2_instance_uses_single_eni", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "PASS", "status_detail": "EC2 Instance i-0dfacf8d3e903db17 has no network interfaces attached.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#detach_eni", "https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-multiple-eni-check.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-17" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "AWS-Foundational-Security-Best-Practices": [ "EC2.17" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** are evaluated for attached network adapters. It identifies instances with more than one `ENI`-including `efa`, `interface`, or `trunk` types-and distinguishes those using a single adapter.", "title": "EC2 instance has no more than one Elastic Network Interface (ENI) attached", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability" ], "uid": "prowler-aws-ec2_instance_uses_single_eni-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Prefer a **single ENI per instance**.\n\nIf multi-homing is unavoidable:\n- Place ENIs in least-privilege subnets/SGs\n- Keep `source/destination check` enabled and routes explicit\n- Use gateways/LBs for NAT or ingress, not the host\n- Monitor flow logs and formally approve exceptions\n\nEmbed **defense in depth** and **zero trust**.", "references": [ "https://hub.prowler.com/check/ec2_instance_uses_single_eni" ] }, "risk_details": "**Multiple ENIs** create dual-homed hosts across subnets and security groups, enabling unintended routing and policy bypass. Adversaries can pivot between segments, use alternate egress for **data exfiltration**, or exploit asymmetric paths, undermining segmentation and **confidentiality/integrity** while complicating containment.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EC2 Instance i-076e34b1bed03e4eb is not using an outdated AMI.", "metadata": { "event_code": "ec2_instance_with_outdated_ami", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "EC2 Instance i-076e34b1bed03e4eb is not using an outdated AMI.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "vulnerabilities" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-deprecate.html", "https://repost.aws/knowledge-center/ec2-find-deprecated-ami" ], "notes": "", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** launched from **Amazon-owned AMIs** are evaluated for the AMI's `DeprecationTime`; instances tied to images with a deprecation date in the past are reported as using **deprecated AMIs**.", "title": "EC2 instance uses a non-deprecated Amazon AMI", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Patch Management", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-ec2_instance_with_outdated_ami-211203495394-us-east-1-i-076e34b1bed03e4eb" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-076e34b1bed03e4eb", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:50+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "Name", "Value": "cfi-vpc-test-resource" }, { "Key": "CFITest", "Value": "true" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "Name:cfi-vpc-test-resource", "CFITest:true", "ManagedBy:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC" ], "name": "i-076e34b1bed03e4eb", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-076e34b1bed03e4eb" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Adopt **non-deprecated, maintained AMIs** and perform rolling replacements of affected instances. Standardize on hardened golden images with **regular AMI rotation** and `DeprecationTime` monitoring. Update launch templates/ASGs to reference current images. Automate patching via an image pipeline and apply **defense in depth**.", "references": [ "https://hub.prowler.com/check/ec2_instance_with_outdated_ami" ] }, "risk_details": "Running on a **deprecated AMI** undermines security and availability:\n- Missing patches enable exploitation of known CVEs (confidentiality/integrity)\n- Unsupported components hinder hardening and forensics\n- AMI removal from catalogs complicates scale-out and recovery (availability)", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EC2 Instance i-0dfacf8d3e903db17 is not using an outdated AMI.", "metadata": { "event_code": "ec2_instance_with_outdated_ami", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "EC2 Instance i-0dfacf8d3e903db17 is not using an outdated AMI.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "vulnerabilities" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-deprecate.html", "https://repost.aws/knowledge-center/ec2-find-deprecated-ami" ], "notes": "", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 instances** launched from **Amazon-owned AMIs** are evaluated for the AMI's `DeprecationTime`; instances tied to images with a deprecation date in the past are reported as using **deprecated AMIs**.", "title": "EC2 instance uses a non-deprecated Amazon AMI", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Patch Management", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-ec2_instance_with_outdated_ami-211203495394-us-east-1-i-0dfacf8d3e903db17" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "i-0dfacf8d3e903db17", "arn": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17", "state": "terminated", "region": "us-east-1", "type": "t3.micro", "image_id": "ami-09757e8c9b2ba5eef", "launch_time": "2026-04-13 01:30:47+00:00", "private_dns": "", "private_ip": null, "public_dns": "", "public_ip": null, "user_data": null, "http_tokens": "required", "http_endpoint": "enabled", "monitoring_state": "disabled", "security_groups": [], "subnet_id": "", "instance_profile": null, "network_interfaces": [], "virtualization_type": "hvm", "tags": [ { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "CCC-CFI-Compliance" }, { "Key": "CFITest", "Value": "true" }, { "Key": "Name", "Value": "cfi-vpc-test-resource" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIControlSet:CCC.VPC", "ManagedBy:CCC-CFI-Compliance", "CFITest:true", "Name:cfi-vpc-test-resource" ], "name": "i-0dfacf8d3e903db17", "type": "AwsEc2Instance", "uid": "arn:aws:ec2:us-east-1:211203495394:instance/i-0dfacf8d3e903db17" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Adopt **non-deprecated, maintained AMIs** and perform rolling replacements of affected instances. Standardize on hardened golden images with **regular AMI rotation** and `DeprecationTime` monitoring. Update launch templates/ASGs to reference current images. Automate patching via an image pipeline and apply **defense in depth**.", "references": [ "https://hub.prowler.com/check/ec2_instance_with_outdated_ami" ] }, "risk_details": "Running on a **deprecated AMI** undermines security and availability:\n- Missing patches enable exploitation of known CVEs (confidentiality/integrity)\n- Unsupported components hinder hardening and forensics\n- AMI removal from catalogs complicates scale-out and recovery (availability)", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security group default (sg-0dbbf61fb83e74952) was not created using the EC2 Launch Wizard.", "metadata": { "event_code": "ec2_securitygroup_from_launch_wizard", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Security group default (sg-0dbbf61fb83e74952) was not created using the EC2 Launch Wizard.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-prefixed-with-launch-wizard.html", "https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC05-BP03" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "ENS-RD2022": [ "mp.com.1.aws.sg.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 security groups** whose names include `launch-wizard` are identified as created by the **EC2 Launch Wizard**, distinguishing auto-generated groups from curated, baseline-controlled groups.", "title": "Security group not created using the EC2 Launch Wizard", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability" ], "uid": "prowler-aws-ec2_securitygroup_from_launch_wizard-211203495394-us-east-1-sg-0dbbf61fb83e74952" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "default", "metadata": { "name": "default", "region": "us-east-1", "arn": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-0dbbf61fb83e74952", "id": "sg-0dbbf61fb83e74952", "vpc_id": "vpc-0232d940ac1e052fc", "associated_sgs": [], "network_interfaces": [], "ingress_rules": [], "egress_rules": [], "tags": [ { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "Environment", "Value": "cfi-test" }, { "Key": "Name", "Value": "cfi-1776044303-vpc-default" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "AutoCleanup", "Value": "true" }, { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "team", "Value": "cfi-team" } ] } }, "group": { "name": "ec2" }, "labels": [ "Project:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC", "Environment:cfi-test", "Name:cfi-1776044303-vpc-default", "Owner:cfi-owner", "AutoCleanup:true", "ManagedBy:Terraform", "team:cfi-team" ], "name": "sg-0dbbf61fb83e74952", "type": "AwsEc2SecurityGroup", "uid": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-0dbbf61fb83e74952" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Replace or harden these groups. Apply **least privilege**: restrict inbound to required sources, avoid public admin ports, and minimize egress. Use approved baseline security groups, enforce change control with IaC and guardrails, prefer private administration (bastion or Session Manager), and remove unused rules.", "references": [ "https://hub.prowler.com/check/ec2_securitygroup_from_launch_wizard" ] }, "risk_details": "Wizard-generated groups often include **overly permissive rules** (e.g., `0.0.0.0/0` to admin ports), expanding exposure. Attackers can run **port scans** and **brute-force** to gain entry, then **lateral movement** and **data exfiltration**, impacting **confidentiality** and **integrity**; broad egress aids command-and-control.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security group default (sg-096af8e418ee6d2af) was not created using the EC2 Launch Wizard.", "metadata": { "event_code": "ec2_securitygroup_from_launch_wizard", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Security group default (sg-096af8e418ee6d2af) was not created using the EC2 Launch Wizard.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-prefixed-with-launch-wizard.html", "https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC05-BP03" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "ENS-RD2022": [ "mp.com.1.aws.sg.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 security groups** whose names include `launch-wizard` are identified as created by the **EC2 Launch Wizard**, distinguishing auto-generated groups from curated, baseline-controlled groups.", "title": "Security group not created using the EC2 Launch Wizard", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability" ], "uid": "prowler-aws-ec2_securitygroup_from_launch_wizard-211203495394-us-east-1-sg-096af8e418ee6d2af" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "default", "metadata": { "name": "default", "region": "us-east-1", "arn": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-096af8e418ee6d2af", "id": "sg-096af8e418ee6d2af", "vpc_id": "vpc-030739f6bd57beef0", "associated_sgs": [ "sg-096af8e418ee6d2af" ], "network_interfaces": [], "ingress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [ { "UserId": "211203495394", "GroupId": "sg-096af8e418ee6d2af" } ], "IpRanges": [], "Ipv6Ranges": [], "PrefixListIds": [] } ], "egress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [], "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "Ipv6Ranges": [], "PrefixListIds": [] } ], "tags": null } }, "group": { "name": "ec2" }, "labels": [], "name": "sg-096af8e418ee6d2af", "type": "AwsEc2SecurityGroup", "uid": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-096af8e418ee6d2af" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Replace or harden these groups. Apply **least privilege**: restrict inbound to required sources, avoid public admin ports, and minimize egress. Use approved baseline security groups, enforce change control with IaC and guardrails, prefer private administration (bastion or Session Manager), and remove unused rules.", "references": [ "https://hub.prowler.com/check/ec2_securitygroup_from_launch_wizard" ] }, "risk_details": "Wizard-generated groups often include **overly permissive rules** (e.g., `0.0.0.0/0` to admin ports), expanding exposure. Attackers can run **port scans** and **brute-force** to gain entry, then **lateral movement** and **data exfiltration**, impacting **confidentiality** and **integrity**; broad egress aids command-and-control.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security group default (sg-026bac641c7391683) was not created using the EC2 Launch Wizard.", "metadata": { "event_code": "ec2_securitygroup_from_launch_wizard", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Security group default (sg-026bac641c7391683) was not created using the EC2 Launch Wizard.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-prefixed-with-launch-wizard.html", "https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC05-BP03" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "ENS-RD2022": [ "mp.com.1.aws.sg.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 security groups** whose names include `launch-wizard` are identified as created by the **EC2 Launch Wizard**, distinguishing auto-generated groups from curated, baseline-controlled groups.", "title": "Security group not created using the EC2 Launch Wizard", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability" ], "uid": "prowler-aws-ec2_securitygroup_from_launch_wizard-211203495394-us-east-1-sg-026bac641c7391683" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "default", "metadata": { "name": "default", "region": "us-east-1", "arn": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-026bac641c7391683", "id": "sg-026bac641c7391683", "vpc_id": "vpc-08678ebdbec637832", "associated_sgs": [ "sg-026bac641c7391683" ], "network_interfaces": [], "ingress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [ { "UserId": "211203495394", "GroupId": "sg-026bac641c7391683" } ], "IpRanges": [], "Ipv6Ranges": [], "PrefixListIds": [] } ], "egress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [], "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "Ipv6Ranges": [], "PrefixListIds": [] } ], "tags": null } }, "group": { "name": "ec2" }, "labels": [], "name": "sg-026bac641c7391683", "type": "AwsEc2SecurityGroup", "uid": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-026bac641c7391683" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Replace or harden these groups. Apply **least privilege**: restrict inbound to required sources, avoid public admin ports, and minimize egress. Use approved baseline security groups, enforce change control with IaC and guardrails, prefer private administration (bastion or Session Manager), and remove unused rules.", "references": [ "https://hub.prowler.com/check/ec2_securitygroup_from_launch_wizard" ] }, "risk_details": "Wizard-generated groups often include **overly permissive rules** (e.g., `0.0.0.0/0` to admin ports), expanding exposure. Attackers can run **port scans** and **brute-force** to gain entry, then **lateral movement** and **data exfiltration**, impacting **confidentiality** and **integrity**; broad egress aids command-and-control.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security group default (sg-042831ed1f2ad6a5d) was not created using the EC2 Launch Wizard.", "metadata": { "event_code": "ec2_securitygroup_from_launch_wizard", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Security group default (sg-042831ed1f2ad6a5d) was not created using the EC2 Launch Wizard.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-prefixed-with-launch-wizard.html", "https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC05-BP03" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "ENS-RD2022": [ "mp.com.1.aws.sg.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 security groups** whose names include `launch-wizard` are identified as created by the **EC2 Launch Wizard**, distinguishing auto-generated groups from curated, baseline-controlled groups.", "title": "Security group not created using the EC2 Launch Wizard", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability" ], "uid": "prowler-aws-ec2_securitygroup_from_launch_wizard-211203495394-us-east-1-sg-042831ed1f2ad6a5d" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "default", "metadata": { "name": "default", "region": "us-east-1", "arn": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-042831ed1f2ad6a5d", "id": "sg-042831ed1f2ad6a5d", "vpc_id": "vpc-06343230833672ab6", "associated_sgs": [ "sg-042831ed1f2ad6a5d" ], "network_interfaces": [], "ingress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [ { "UserId": "211203495394", "GroupId": "sg-042831ed1f2ad6a5d" } ], "IpRanges": [], "Ipv6Ranges": [], "PrefixListIds": [] } ], "egress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [], "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "Ipv6Ranges": [], "PrefixListIds": [] } ], "tags": null } }, "group": { "name": "ec2" }, "labels": [], "name": "sg-042831ed1f2ad6a5d", "type": "AwsEc2SecurityGroup", "uid": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-042831ed1f2ad6a5d" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Replace or harden these groups. Apply **least privilege**: restrict inbound to required sources, avoid public admin ports, and minimize egress. Use approved baseline security groups, enforce change control with IaC and guardrails, prefer private administration (bastion or Session Manager), and remove unused rules.", "references": [ "https://hub.prowler.com/check/ec2_securitygroup_from_launch_wizard" ] }, "risk_details": "Wizard-generated groups often include **overly permissive rules** (e.g., `0.0.0.0/0` to admin ports), expanding exposure. Attackers can run **port scans** and **brute-force** to gain entry, then **lateral movement** and **data exfiltration**, impacting **confidentiality** and **integrity**; broad egress aids command-and-control.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security group default (sg-012fb28fc9b7ceef0) was not created using the EC2 Launch Wizard.", "metadata": { "event_code": "ec2_securitygroup_from_launch_wizard", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Security group default (sg-012fb28fc9b7ceef0) was not created using the EC2 Launch Wizard.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-prefixed-with-launch-wizard.html", "https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC05-BP03" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "ENS-RD2022": [ "mp.com.1.aws.sg.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 security groups** whose names include `launch-wizard` are identified as created by the **EC2 Launch Wizard**, distinguishing auto-generated groups from curated, baseline-controlled groups.", "title": "Security group not created using the EC2 Launch Wizard", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability" ], "uid": "prowler-aws-ec2_securitygroup_from_launch_wizard-211203495394-us-east-1-sg-012fb28fc9b7ceef0" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "default", "metadata": { "name": "default", "region": "us-east-1", "arn": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-012fb28fc9b7ceef0", "id": "sg-012fb28fc9b7ceef0", "vpc_id": "vpc-00edf4476fa81d898", "associated_sgs": [ "sg-012fb28fc9b7ceef0" ], "network_interfaces": [], "ingress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [ { "UserId": "211203495394", "GroupId": "sg-012fb28fc9b7ceef0" } ], "IpRanges": [], "Ipv6Ranges": [], "PrefixListIds": [] } ], "egress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [], "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "Ipv6Ranges": [], "PrefixListIds": [] } ], "tags": null } }, "group": { "name": "ec2" }, "labels": [], "name": "sg-012fb28fc9b7ceef0", "type": "AwsEc2SecurityGroup", "uid": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-012fb28fc9b7ceef0" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Replace or harden these groups. Apply **least privilege**: restrict inbound to required sources, avoid public admin ports, and minimize egress. Use approved baseline security groups, enforce change control with IaC and guardrails, prefer private administration (bastion or Session Manager), and remove unused rules.", "references": [ "https://hub.prowler.com/check/ec2_securitygroup_from_launch_wizard" ] }, "risk_details": "Wizard-generated groups often include **overly permissive rules** (e.g., `0.0.0.0/0` to admin ports), expanding exposure. Attackers can run **port scans** and **brute-force** to gain entry, then **lateral movement** and **data exfiltration**, impacting **confidentiality** and **integrity**; broad egress aids command-and-control.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security group default (sg-0812b91f30de4caa2) was not created using the EC2 Launch Wizard.", "metadata": { "event_code": "ec2_securitygroup_from_launch_wizard", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Security group default (sg-0812b91f30de4caa2) was not created using the EC2 Launch Wizard.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-prefixed-with-launch-wizard.html", "https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC05-BP03" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "ENS-RD2022": [ "mp.com.1.aws.sg.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 security groups** whose names include `launch-wizard` are identified as created by the **EC2 Launch Wizard**, distinguishing auto-generated groups from curated, baseline-controlled groups.", "title": "Security group not created using the EC2 Launch Wizard", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability" ], "uid": "prowler-aws-ec2_securitygroup_from_launch_wizard-211203495394-us-east-1-sg-0812b91f30de4caa2" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "default", "metadata": { "name": "default", "region": "us-east-1", "arn": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-0812b91f30de4caa2", "id": "sg-0812b91f30de4caa2", "vpc_id": "vpc-035f0b812cb80ea99", "associated_sgs": [ "sg-0812b91f30de4caa2" ], "network_interfaces": [], "ingress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [ { "UserId": "211203495394", "GroupId": "sg-0812b91f30de4caa2" } ], "IpRanges": [], "Ipv6Ranges": [], "PrefixListIds": [] } ], "egress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [], "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "Ipv6Ranges": [], "PrefixListIds": [] } ], "tags": null } }, "group": { "name": "ec2" }, "labels": [], "name": "sg-0812b91f30de4caa2", "type": "AwsEc2SecurityGroup", "uid": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-0812b91f30de4caa2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Replace or harden these groups. Apply **least privilege**: restrict inbound to required sources, avoid public admin ports, and minimize egress. Use approved baseline security groups, enforce change control with IaC and guardrails, prefer private administration (bastion or Session Manager), and remove unused rules.", "references": [ "https://hub.prowler.com/check/ec2_securitygroup_from_launch_wizard" ] }, "risk_details": "Wizard-generated groups often include **overly permissive rules** (e.g., `0.0.0.0/0` to admin ports), expanding exposure. Attackers can run **port scans** and **brute-force** to gain entry, then **lateral movement** and **data exfiltration**, impacting **confidentiality** and **integrity**; broad egress aids command-and-control.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security group default (sg-0068ebc618c50fd28) was not created using the EC2 Launch Wizard.", "metadata": { "event_code": "ec2_securitygroup_from_launch_wizard", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Security group default (sg-0068ebc618c50fd28) was not created using the EC2 Launch Wizard.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-prefixed-with-launch-wizard.html", "https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC05-BP03" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "ENS-RD2022": [ "mp.com.1.aws.sg.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 security groups** whose names include `launch-wizard` are identified as created by the **EC2 Launch Wizard**, distinguishing auto-generated groups from curated, baseline-controlled groups.", "title": "Security group not created using the EC2 Launch Wizard", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability" ], "uid": "prowler-aws-ec2_securitygroup_from_launch_wizard-211203495394-us-east-1-sg-0068ebc618c50fd28" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "default", "metadata": { "name": "default", "region": "us-east-1", "arn": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-0068ebc618c50fd28", "id": "sg-0068ebc618c50fd28", "vpc_id": "vpc-08d29b9a77c3a1931", "associated_sgs": [], "network_interfaces": [], "ingress_rules": [], "egress_rules": [], "tags": [ { "Key": "CFIVpcRole", "Value": "bad" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "team", "Value": "cfi-team" }, { "Key": "AutoCleanup", "Value": "true" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "Name", "Value": "cfi-1776044303-vpc-bad-default" }, { "Key": "Environment", "Value": "cfi-test" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIVpcRole:bad", "Project:CCC-CFI-Compliance", "ManagedBy:Terraform", "team:cfi-team", "AutoCleanup:true", "Owner:cfi-owner", "Name:cfi-1776044303-vpc-bad-default", "Environment:cfi-test", "CFIControlSet:CCC.VPC" ], "name": "sg-0068ebc618c50fd28", "type": "AwsEc2SecurityGroup", "uid": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-0068ebc618c50fd28" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Replace or harden these groups. Apply **least privilege**: restrict inbound to required sources, avoid public admin ports, and minimize egress. Use approved baseline security groups, enforce change control with IaC and guardrails, prefer private administration (bastion or Session Manager), and remove unused rules.", "references": [ "https://hub.prowler.com/check/ec2_securitygroup_from_launch_wizard" ] }, "risk_details": "Wizard-generated groups often include **overly permissive rules** (e.g., `0.0.0.0/0` to admin ports), expanding exposure. Attackers can run **port scans** and **brute-force** to gain entry, then **lateral movement** and **data exfiltration**, impacting **confidentiality** and **integrity**; broad egress aids command-and-control.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security group default (sg-0dbbf61fb83e74952) has 0 inbound rules and 0 outbound rules.", "metadata": { "event_code": "ec2_securitygroup_with_many_ingress_egress_rules", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Security group default (sg-0dbbf61fb83e74952) has 0 inbound rules and 0 outbound rules.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-rules-counts.html" ], "notes": "", "compliance": { "AWS-Foundational-Technical-Review": [ "NETSEC-001" ], "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC05-BP03" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 security groups** are evaluated for excessive rule counts, flagging groups where `ingress` or `egress` entries exceed the configured threshold (default `50`). This targets groups with unusually large rule sets that complicate access control.", "title": "Security group has 50 or fewer inbound rules and 50 or fewer outbound rules", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-ec2_securitygroup_with_many_ingress_egress_rules-211203495394-us-east-1-sg-0dbbf61fb83e74952" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "default", "metadata": { "name": "default", "region": "us-east-1", "arn": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-0dbbf61fb83e74952", "id": "sg-0dbbf61fb83e74952", "vpc_id": "vpc-0232d940ac1e052fc", "associated_sgs": [], "network_interfaces": [], "ingress_rules": [], "egress_rules": [], "tags": [ { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "Environment", "Value": "cfi-test" }, { "Key": "Name", "Value": "cfi-1776044303-vpc-default" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "AutoCleanup", "Value": "true" }, { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "team", "Value": "cfi-team" } ] } }, "group": { "name": "ec2" }, "labels": [ "Project:CCC-CFI-Compliance", "CFIControlSet:CCC.VPC", "Environment:cfi-test", "Name:cfi-1776044303-vpc-default", "Owner:cfi-owner", "AutoCleanup:true", "ManagedBy:Terraform", "team:cfi-team" ], "name": "sg-0dbbf61fb83e74952", "type": "AwsEc2SecurityGroup", "uid": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-0dbbf61fb83e74952" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** and **segmentation**:\n- Limit rules to required ports, protocols, and sources\n- Split workloads into dedicated security groups per role\n- Prefer SG-to-SG references over broad CIDRs\n- Regularly review, deduplicate, and remove stale rules\n- Layer controls (NACLs, private endpoints) for **defense in depth**", "references": [ "https://hub.prowler.com/check/ec2_securitygroup_with_many_ingress_egress_rules" ] }, "risk_details": "**Rule sprawl** weakens **least privilege**: large rule sets can hide overly permissive entries, exposing services to the Internet or unintended peers. This enables unauthorized access, data exfiltration, and lateral movement, impacting **confidentiality** and **integrity**, and can threaten **availability** via abuse of exposed services.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security group default (sg-096af8e418ee6d2af) has 1 inbound rules and 1 outbound rules.", "metadata": { "event_code": "ec2_securitygroup_with_many_ingress_egress_rules", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Security group default (sg-096af8e418ee6d2af) has 1 inbound rules and 1 outbound rules.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-rules-counts.html" ], "notes": "", "compliance": { "AWS-Foundational-Technical-Review": [ "NETSEC-001" ], "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC05-BP03" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 security groups** are evaluated for excessive rule counts, flagging groups where `ingress` or `egress` entries exceed the configured threshold (default `50`). This targets groups with unusually large rule sets that complicate access control.", "title": "Security group has 50 or fewer inbound rules and 50 or fewer outbound rules", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-ec2_securitygroup_with_many_ingress_egress_rules-211203495394-us-east-1-sg-096af8e418ee6d2af" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "default", "metadata": { "name": "default", "region": "us-east-1", "arn": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-096af8e418ee6d2af", "id": "sg-096af8e418ee6d2af", "vpc_id": "vpc-030739f6bd57beef0", "associated_sgs": [ "sg-096af8e418ee6d2af" ], "network_interfaces": [], "ingress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [ { "UserId": "211203495394", "GroupId": "sg-096af8e418ee6d2af" } ], "IpRanges": [], "Ipv6Ranges": [], "PrefixListIds": [] } ], "egress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [], "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "Ipv6Ranges": [], "PrefixListIds": [] } ], "tags": null } }, "group": { "name": "ec2" }, "labels": [], "name": "sg-096af8e418ee6d2af", "type": "AwsEc2SecurityGroup", "uid": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-096af8e418ee6d2af" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** and **segmentation**:\n- Limit rules to required ports, protocols, and sources\n- Split workloads into dedicated security groups per role\n- Prefer SG-to-SG references over broad CIDRs\n- Regularly review, deduplicate, and remove stale rules\n- Layer controls (NACLs, private endpoints) for **defense in depth**", "references": [ "https://hub.prowler.com/check/ec2_securitygroup_with_many_ingress_egress_rules" ] }, "risk_details": "**Rule sprawl** weakens **least privilege**: large rule sets can hide overly permissive entries, exposing services to the Internet or unintended peers. This enables unauthorized access, data exfiltration, and lateral movement, impacting **confidentiality** and **integrity**, and can threaten **availability** via abuse of exposed services.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security group default (sg-026bac641c7391683) has 1 inbound rules and 1 outbound rules.", "metadata": { "event_code": "ec2_securitygroup_with_many_ingress_egress_rules", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Security group default (sg-026bac641c7391683) has 1 inbound rules and 1 outbound rules.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-rules-counts.html" ], "notes": "", "compliance": { "AWS-Foundational-Technical-Review": [ "NETSEC-001" ], "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC05-BP03" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 security groups** are evaluated for excessive rule counts, flagging groups where `ingress` or `egress` entries exceed the configured threshold (default `50`). This targets groups with unusually large rule sets that complicate access control.", "title": "Security group has 50 or fewer inbound rules and 50 or fewer outbound rules", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-ec2_securitygroup_with_many_ingress_egress_rules-211203495394-us-east-1-sg-026bac641c7391683" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "default", "metadata": { "name": "default", "region": "us-east-1", "arn": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-026bac641c7391683", "id": "sg-026bac641c7391683", "vpc_id": "vpc-08678ebdbec637832", "associated_sgs": [ "sg-026bac641c7391683" ], "network_interfaces": [], "ingress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [ { "UserId": "211203495394", "GroupId": "sg-026bac641c7391683" } ], "IpRanges": [], "Ipv6Ranges": [], "PrefixListIds": [] } ], "egress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [], "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "Ipv6Ranges": [], "PrefixListIds": [] } ], "tags": null } }, "group": { "name": "ec2" }, "labels": [], "name": "sg-026bac641c7391683", "type": "AwsEc2SecurityGroup", "uid": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-026bac641c7391683" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** and **segmentation**:\n- Limit rules to required ports, protocols, and sources\n- Split workloads into dedicated security groups per role\n- Prefer SG-to-SG references over broad CIDRs\n- Regularly review, deduplicate, and remove stale rules\n- Layer controls (NACLs, private endpoints) for **defense in depth**", "references": [ "https://hub.prowler.com/check/ec2_securitygroup_with_many_ingress_egress_rules" ] }, "risk_details": "**Rule sprawl** weakens **least privilege**: large rule sets can hide overly permissive entries, exposing services to the Internet or unintended peers. This enables unauthorized access, data exfiltration, and lateral movement, impacting **confidentiality** and **integrity**, and can threaten **availability** via abuse of exposed services.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security group default (sg-042831ed1f2ad6a5d) has 1 inbound rules and 1 outbound rules.", "metadata": { "event_code": "ec2_securitygroup_with_many_ingress_egress_rules", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Security group default (sg-042831ed1f2ad6a5d) has 1 inbound rules and 1 outbound rules.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-rules-counts.html" ], "notes": "", "compliance": { "AWS-Foundational-Technical-Review": [ "NETSEC-001" ], "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC05-BP03" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 security groups** are evaluated for excessive rule counts, flagging groups where `ingress` or `egress` entries exceed the configured threshold (default `50`). This targets groups with unusually large rule sets that complicate access control.", "title": "Security group has 50 or fewer inbound rules and 50 or fewer outbound rules", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-ec2_securitygroup_with_many_ingress_egress_rules-211203495394-us-east-1-sg-042831ed1f2ad6a5d" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "default", "metadata": { "name": "default", "region": "us-east-1", "arn": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-042831ed1f2ad6a5d", "id": "sg-042831ed1f2ad6a5d", "vpc_id": "vpc-06343230833672ab6", "associated_sgs": [ "sg-042831ed1f2ad6a5d" ], "network_interfaces": [], "ingress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [ { "UserId": "211203495394", "GroupId": "sg-042831ed1f2ad6a5d" } ], "IpRanges": [], "Ipv6Ranges": [], "PrefixListIds": [] } ], "egress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [], "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "Ipv6Ranges": [], "PrefixListIds": [] } ], "tags": null } }, "group": { "name": "ec2" }, "labels": [], "name": "sg-042831ed1f2ad6a5d", "type": "AwsEc2SecurityGroup", "uid": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-042831ed1f2ad6a5d" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** and **segmentation**:\n- Limit rules to required ports, protocols, and sources\n- Split workloads into dedicated security groups per role\n- Prefer SG-to-SG references over broad CIDRs\n- Regularly review, deduplicate, and remove stale rules\n- Layer controls (NACLs, private endpoints) for **defense in depth**", "references": [ "https://hub.prowler.com/check/ec2_securitygroup_with_many_ingress_egress_rules" ] }, "risk_details": "**Rule sprawl** weakens **least privilege**: large rule sets can hide overly permissive entries, exposing services to the Internet or unintended peers. This enables unauthorized access, data exfiltration, and lateral movement, impacting **confidentiality** and **integrity**, and can threaten **availability** via abuse of exposed services.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security group default (sg-012fb28fc9b7ceef0) has 1 inbound rules and 1 outbound rules.", "metadata": { "event_code": "ec2_securitygroup_with_many_ingress_egress_rules", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Security group default (sg-012fb28fc9b7ceef0) has 1 inbound rules and 1 outbound rules.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-rules-counts.html" ], "notes": "", "compliance": { "AWS-Foundational-Technical-Review": [ "NETSEC-001" ], "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC05-BP03" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 security groups** are evaluated for excessive rule counts, flagging groups where `ingress` or `egress` entries exceed the configured threshold (default `50`). This targets groups with unusually large rule sets that complicate access control.", "title": "Security group has 50 or fewer inbound rules and 50 or fewer outbound rules", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-ec2_securitygroup_with_many_ingress_egress_rules-211203495394-us-east-1-sg-012fb28fc9b7ceef0" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "default", "metadata": { "name": "default", "region": "us-east-1", "arn": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-012fb28fc9b7ceef0", "id": "sg-012fb28fc9b7ceef0", "vpc_id": "vpc-00edf4476fa81d898", "associated_sgs": [ "sg-012fb28fc9b7ceef0" ], "network_interfaces": [], "ingress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [ { "UserId": "211203495394", "GroupId": "sg-012fb28fc9b7ceef0" } ], "IpRanges": [], "Ipv6Ranges": [], "PrefixListIds": [] } ], "egress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [], "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "Ipv6Ranges": [], "PrefixListIds": [] } ], "tags": null } }, "group": { "name": "ec2" }, "labels": [], "name": "sg-012fb28fc9b7ceef0", "type": "AwsEc2SecurityGroup", "uid": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-012fb28fc9b7ceef0" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** and **segmentation**:\n- Limit rules to required ports, protocols, and sources\n- Split workloads into dedicated security groups per role\n- Prefer SG-to-SG references over broad CIDRs\n- Regularly review, deduplicate, and remove stale rules\n- Layer controls (NACLs, private endpoints) for **defense in depth**", "references": [ "https://hub.prowler.com/check/ec2_securitygroup_with_many_ingress_egress_rules" ] }, "risk_details": "**Rule sprawl** weakens **least privilege**: large rule sets can hide overly permissive entries, exposing services to the Internet or unintended peers. This enables unauthorized access, data exfiltration, and lateral movement, impacting **confidentiality** and **integrity**, and can threaten **availability** via abuse of exposed services.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security group default (sg-0812b91f30de4caa2) has 1 inbound rules and 1 outbound rules.", "metadata": { "event_code": "ec2_securitygroup_with_many_ingress_egress_rules", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Security group default (sg-0812b91f30de4caa2) has 1 inbound rules and 1 outbound rules.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-rules-counts.html" ], "notes": "", "compliance": { "AWS-Foundational-Technical-Review": [ "NETSEC-001" ], "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC05-BP03" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 security groups** are evaluated for excessive rule counts, flagging groups where `ingress` or `egress` entries exceed the configured threshold (default `50`). This targets groups with unusually large rule sets that complicate access control.", "title": "Security group has 50 or fewer inbound rules and 50 or fewer outbound rules", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-ec2_securitygroup_with_many_ingress_egress_rules-211203495394-us-east-1-sg-0812b91f30de4caa2" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "default", "metadata": { "name": "default", "region": "us-east-1", "arn": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-0812b91f30de4caa2", "id": "sg-0812b91f30de4caa2", "vpc_id": "vpc-035f0b812cb80ea99", "associated_sgs": [ "sg-0812b91f30de4caa2" ], "network_interfaces": [], "ingress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [ { "UserId": "211203495394", "GroupId": "sg-0812b91f30de4caa2" } ], "IpRanges": [], "Ipv6Ranges": [], "PrefixListIds": [] } ], "egress_rules": [ { "IpProtocol": "-1", "UserIdGroupPairs": [], "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "Ipv6Ranges": [], "PrefixListIds": [] } ], "tags": null } }, "group": { "name": "ec2" }, "labels": [], "name": "sg-0812b91f30de4caa2", "type": "AwsEc2SecurityGroup", "uid": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-0812b91f30de4caa2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** and **segmentation**:\n- Limit rules to required ports, protocols, and sources\n- Split workloads into dedicated security groups per role\n- Prefer SG-to-SG references over broad CIDRs\n- Regularly review, deduplicate, and remove stale rules\n- Layer controls (NACLs, private endpoints) for **defense in depth**", "references": [ "https://hub.prowler.com/check/ec2_securitygroup_with_many_ingress_egress_rules" ] }, "risk_details": "**Rule sprawl** weakens **least privilege**: large rule sets can hide overly permissive entries, exposing services to the Internet or unintended peers. This enables unauthorized access, data exfiltration, and lateral movement, impacting **confidentiality** and **integrity**, and can threaten **availability** via abuse of exposed services.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security group default (sg-0068ebc618c50fd28) has 0 inbound rules and 0 outbound rules.", "metadata": { "event_code": "ec2_securitygroup_with_many_ingress_egress_rules", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Security group default (sg-0068ebc618c50fd28) has 0 inbound rules and 0 outbound rules.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/security-group-rules-counts.html" ], "notes": "", "compliance": { "AWS-Foundational-Technical-Review": [ "NETSEC-001" ], "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC05-BP03" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EC2 security groups** are evaluated for excessive rule counts, flagging groups where `ingress` or `egress` entries exceed the configured threshold (default `50`). This targets groups with unusually large rule sets that complicate access control.", "title": "Security group has 50 or fewer inbound rules and 50 or fewer outbound rules", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-ec2_securitygroup_with_many_ingress_egress_rules-211203495394-us-east-1-sg-0068ebc618c50fd28" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "default", "metadata": { "name": "default", "region": "us-east-1", "arn": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-0068ebc618c50fd28", "id": "sg-0068ebc618c50fd28", "vpc_id": "vpc-08d29b9a77c3a1931", "associated_sgs": [], "network_interfaces": [], "ingress_rules": [], "egress_rules": [], "tags": [ { "Key": "CFIVpcRole", "Value": "bad" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "team", "Value": "cfi-team" }, { "Key": "AutoCleanup", "Value": "true" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "Name", "Value": "cfi-1776044303-vpc-bad-default" }, { "Key": "Environment", "Value": "cfi-test" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } }, "group": { "name": "ec2" }, "labels": [ "CFIVpcRole:bad", "Project:CCC-CFI-Compliance", "ManagedBy:Terraform", "team:cfi-team", "AutoCleanup:true", "Owner:cfi-owner", "Name:cfi-1776044303-vpc-bad-default", "Environment:cfi-test", "CFIControlSet:CCC.VPC" ], "name": "sg-0068ebc618c50fd28", "type": "AwsEc2SecurityGroup", "uid": "arn:aws:ec2:us-east-1:211203495394:security-group/sg-0068ebc618c50fd28" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** and **segmentation**:\n- Limit rules to required ports, protocols, and sources\n- Split workloads into dedicated security groups per role\n- Prefer SG-to-SG references over broad CIDRs\n- Regularly review, deduplicate, and remove stale rules\n- Layer controls (NACLs, private endpoints) for **defense in depth**", "references": [ "https://hub.prowler.com/check/ec2_securitygroup_with_many_ingress_egress_rules" ] }, "risk_details": "**Rule sprawl** weakens **least privilege**: large rule sets can hide overly permissive entries, exposing services to the Internet or unintended peers. This enables unauthorized access, data exfiltration, and lateral movement, impacting **confidentiality** and **integrity**, and can threaten **availability** via abuse of exposed services.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-ap-northeast-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-1", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:ap-northeast-1:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-1" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-ap-northeast-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-2", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:ap-northeast-2:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-2" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-ap-northeast-3-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-3", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:ap-northeast-3:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-3" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-ap-south-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-south-1", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:ap-south-1:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-south-1" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-ap-southeast-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-1", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:ap-southeast-1:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-1" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-ap-southeast-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-2", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:ap-southeast-2:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-2" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-ca-central-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "ca-central-1", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:ca-central-1:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ca-central-1" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-eu-central-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-central-1", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:eu-central-1:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-central-1" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-eu-north-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-north-1", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:eu-north-1:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-north-1" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-eu-west-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-1", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:eu-west-1:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-1" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-eu-west-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-2", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:eu-west-2:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-2" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-eu-west-3-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-3", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:eu-west-3:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-3" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-sa-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "sa-east-1", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:sa-east-1:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "sa-east-1" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:us-east-1:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-us-east-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-2", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:us-east-2:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-2" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-us-west-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-1", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:us-west-1:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-1" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EMR Account has Block Public Access enabled.", "metadata": { "event_code": "emr_cluster_account_public_block_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EMR Account has Block Public Access enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EMR/block-public-access.html", "https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html", "https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access" ], "notes": "", "compliance": { "PCI-4.0": [ "1.2.8.16", "1.3.1.18", "1.3.2.18", "1.4.2.17", "1.5.1.16", "10.3.2.12", "3.5.1.3.14", "A1.1.2.8", "A1.1.3.16", "A3.4.1.8" ], "KISA-ISMS-P-2023-korean": [ "2.6.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP07" ], "KISA-ISMS-P-2023": [ "2.6.1", "2.10.2" ], "C5-2025": [ "PS-03.02B" ], "ISO27001-2022": [ "A.8.1" ], "AWS-Foundational-Security-Best-Practices": [ "EMR.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.", "title": "EMR account has Block Public Access enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-emr_cluster_account_public_block_enabled-211203495394-us-west-2-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-2", "data": { "details": "", "metadata": { "us-east-2": { "block_public_security_group_rules": true }, "us-west-1": { "block_public_security_group_rules": true }, "ca-central-1": { "block_public_security_group_rules": true }, "us-west-2": { "block_public_security_group_rules": true }, "eu-central-1": { "block_public_security_group_rules": true }, "eu-north-1": { "block_public_security_group_rules": true }, "ap-northeast-3": { "block_public_security_group_rules": true }, "eu-west-3": { "block_public_security_group_rules": true }, "ap-northeast-2": { "block_public_security_group_rules": true }, "us-east-1": { "block_public_security_group_rules": true }, "ap-southeast-2": { "block_public_security_group_rules": true }, "sa-east-1": { "block_public_security_group_rules": true }, "ap-southeast-1": { "block_public_security_group_rules": true }, "ap-northeast-1": { "block_public_security_group_rules": true }, "ap-south-1": { "block_public_security_group_rules": true }, "eu-west-1": { "block_public_security_group_rules": true }, "eu-west-2": { "block_public_security_group_rules": true } } }, "group": { "name": "emr" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:elasticmapreduce:us-west-2:211203495394:cluster" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-2" }, "remediation": { "desc": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.", "references": [ "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled" ] }, "risk_details": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-ap-northeast-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:ap-northeast-1:211203495394:event-bus/default", "region": "ap-northeast-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:ap-northeast-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-1" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-ap-northeast-2-default" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-2", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:ap-northeast-2:211203495394:event-bus/default", "region": "ap-northeast-2", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:ap-northeast-2:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-2" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-ap-northeast-3-default" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-3", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:ap-northeast-3:211203495394:event-bus/default", "region": "ap-northeast-3", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:ap-northeast-3:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-3" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-ap-south-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "ap-south-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:ap-south-1:211203495394:event-bus/default", "region": "ap-south-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:ap-south-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-south-1" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-ap-southeast-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:ap-southeast-1:211203495394:event-bus/default", "region": "ap-southeast-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:ap-southeast-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-1" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-ap-southeast-2-default" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-2", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:ap-southeast-2:211203495394:event-bus/default", "region": "ap-southeast-2", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:ap-southeast-2:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-2" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-ca-central-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "ca-central-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:ca-central-1:211203495394:event-bus/default", "region": "ca-central-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:ca-central-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ca-central-1" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-eu-central-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "eu-central-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:eu-central-1:211203495394:event-bus/default", "region": "eu-central-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:eu-central-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-central-1" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-eu-north-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "eu-north-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:eu-north-1:211203495394:event-bus/default", "region": "eu-north-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:eu-north-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-north-1" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-eu-west-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:eu-west-1:211203495394:event-bus/default", "region": "eu-west-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:eu-west-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-1" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-eu-west-2-default" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-2", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:eu-west-2:211203495394:event-bus/default", "region": "eu-west-2", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:eu-west-2:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-2" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-eu-west-3-default" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-3", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:eu-west-3:211203495394:event-bus/default", "region": "eu-west-3", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:eu-west-3:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-3" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-sa-east-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "sa-east-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:sa-east-1:211203495394:event-bus/default", "region": "sa-east-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:sa-east-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "sa-east-1" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-us-east-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:us-east-1:211203495394:event-bus/default", "region": "us-east-1", "kms_key_id": null, "policy": {}, "tags": [ { "Key": "Preexisting", "Value": "20251012" } ] } }, "group": { "name": "eventbridge" }, "labels": [ "Preexisting:20251012" ], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:us-east-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-us-east-2-default" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-2", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:us-east-2:211203495394:event-bus/default", "region": "us-east-2", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:us-east-2:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-2" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-us-west-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:us-west-1:211203495394:event-bus/default", "region": "us-west-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:us-west-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-1" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default does not allow cross-account access.", "metadata": { "event_code": "eventbridge_bus_cross_account_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default does not allow cross-account access.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" ], "notes": "This check supports the `trusted_account_ids` configuration in config.yaml to allow specific cross-account access without triggering a finding.", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR03" ], "KISA-ISMS-P-2023-korean": [ "2.5.6", "2.6.2", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.6", "2.6.2", "2.10.2" ], "C5-2025": [ "OPS-13.03AC", "IAM-10.01B", "COS-04.01B" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.", "title": "AWS EventBridge event bus does not allow cross-account access", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-eventbridge_bus_cross_account_access-211203495394-us-west-2-default" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-2", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:us-west-2:211203495394:event-bus/default", "region": "us-west-2", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:us-west-2:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-2" }, "remediation": { "desc": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_cross_account_access" ] }, "risk_details": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-ap-northeast-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:ap-northeast-1:211203495394:event-bus/default", "region": "ap-northeast-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:ap-northeast-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-1" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-ap-northeast-2-default" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-2", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:ap-northeast-2:211203495394:event-bus/default", "region": "ap-northeast-2", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:ap-northeast-2:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-2" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-ap-northeast-3-default" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-3", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:ap-northeast-3:211203495394:event-bus/default", "region": "ap-northeast-3", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:ap-northeast-3:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-3" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-ap-south-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "ap-south-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:ap-south-1:211203495394:event-bus/default", "region": "ap-south-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:ap-south-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-south-1" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-ap-southeast-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:ap-southeast-1:211203495394:event-bus/default", "region": "ap-southeast-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:ap-southeast-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-1" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-ap-southeast-2-default" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-2", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:ap-southeast-2:211203495394:event-bus/default", "region": "ap-southeast-2", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:ap-southeast-2:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-2" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-ca-central-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "ca-central-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:ca-central-1:211203495394:event-bus/default", "region": "ca-central-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:ca-central-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ca-central-1" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-eu-central-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "eu-central-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:eu-central-1:211203495394:event-bus/default", "region": "eu-central-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:eu-central-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-central-1" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-eu-north-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "eu-north-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:eu-north-1:211203495394:event-bus/default", "region": "eu-north-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:eu-north-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-north-1" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-eu-west-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:eu-west-1:211203495394:event-bus/default", "region": "eu-west-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:eu-west-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-1" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-eu-west-2-default" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-2", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:eu-west-2:211203495394:event-bus/default", "region": "eu-west-2", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:eu-west-2:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-2" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-eu-west-3-default" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-3", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:eu-west-3:211203495394:event-bus/default", "region": "eu-west-3", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:eu-west-3:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-3" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-sa-east-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "sa-east-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:sa-east-1:211203495394:event-bus/default", "region": "sa-east-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:sa-east-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "sa-east-1" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-us-east-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:us-east-1:211203495394:event-bus/default", "region": "us-east-1", "kms_key_id": null, "policy": {}, "tags": [ { "Key": "Preexisting", "Value": "20251012" } ] } }, "group": { "name": "eventbridge" }, "labels": [ "Preexisting:20251012" ], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:us-east-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-us-east-2-default" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-2", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:us-east-2:211203495394:event-bus/default", "region": "us-east-2", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:us-east-2:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-2" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-us-west-1-default" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-1", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:us-west-1:211203495394:event-bus/default", "region": "us-west-1", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:us-west-1:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-1" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "EventBridge event bus default is not exposed to everyone.", "metadata": { "event_code": "eventbridge_bus_exposed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "EventBridge event bus default is not exposed to everyone.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "internet-exposed" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html", "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.6.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "2.3.13" ], "KISA-ISMS-P-2023": [ "2.6.2", "2.10.2" ], "NIST-CSF-2.0": [ "ra_5", "ac_4", "dp_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.", "title": "AWS EventBridge event bus policy does not allow public access", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access" ], "uid": "prowler-aws-eventbridge_bus_exposed-211203495394-us-west-2-default" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-2", "data": { "details": "", "metadata": { "name": "default", "arn": "arn:aws:events:us-west-2:211203495394:event-bus/default", "region": "us-west-2", "kms_key_id": null, "policy": {}, "tags": [] } }, "group": { "name": "eventbridge" }, "labels": [], "name": "default", "type": "AwsEventsEventbus", "uid": "arn:aws:events:us-west-2:211203495394:event-bus/default" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-2" }, "remediation": { "desc": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.", "references": [ "https://hub.prowler.com/check/eventbridge_bus_exposed" ] }, "risk_details": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region ap-northeast-1 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region ap-northeast-1 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-ap-northeast-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:ap-northeast-1:211203495394:detector/unknown", "region": "ap-northeast-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:ap-northeast-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-1" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region ap-northeast-2 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region ap-northeast-2 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-ap-northeast-2-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-2", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:ap-northeast-2:211203495394:detector/unknown", "region": "ap-northeast-2", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:ap-northeast-2:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-2" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region ap-northeast-3 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region ap-northeast-3 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-ap-northeast-3-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-3", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:ap-northeast-3:211203495394:detector/unknown", "region": "ap-northeast-3", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:ap-northeast-3:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-3" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region ap-south-1 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region ap-south-1 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-ap-south-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-south-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:ap-south-1:211203495394:detector/unknown", "region": "ap-south-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:ap-south-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-south-1" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region ap-southeast-1 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region ap-southeast-1 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-ap-southeast-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:ap-southeast-1:211203495394:detector/unknown", "region": "ap-southeast-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:ap-southeast-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-1" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region ap-southeast-2 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region ap-southeast-2 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-ap-southeast-2-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-2", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:ap-southeast-2:211203495394:detector/unknown", "region": "ap-southeast-2", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:ap-southeast-2:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-2" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region ca-central-1 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region ca-central-1 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-ca-central-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ca-central-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:ca-central-1:211203495394:detector/unknown", "region": "ca-central-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:ca-central-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ca-central-1" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region eu-central-1 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region eu-central-1 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-eu-central-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-central-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:eu-central-1:211203495394:detector/unknown", "region": "eu-central-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:eu-central-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-central-1" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region eu-north-1 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region eu-north-1 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-eu-north-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-north-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:eu-north-1:211203495394:detector/unknown", "region": "eu-north-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:eu-north-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-north-1" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region eu-west-1 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region eu-west-1 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-eu-west-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:eu-west-1:211203495394:detector/unknown", "region": "eu-west-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:eu-west-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-1" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region eu-west-2 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region eu-west-2 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-eu-west-2-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-2", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:eu-west-2:211203495394:detector/unknown", "region": "eu-west-2", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:eu-west-2:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-2" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region eu-west-3 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region eu-west-3 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-eu-west-3-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-3", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:eu-west-3:211203495394:detector/unknown", "region": "eu-west-3", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:eu-west-3:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-3" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region sa-east-1 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region sa-east-1 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-sa-east-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "sa-east-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:sa-east-1:211203495394:detector/unknown", "region": "sa-east-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:sa-east-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "sa-east-1" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region us-east-1 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region us-east-1 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-us-east-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:us-east-1:211203495394:detector/unknown", "region": "us-east-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:us-east-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region us-east-2 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region us-east-2 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-us-east-2-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-2", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:us-east-2:211203495394:detector/unknown", "region": "us-east-2", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:us-east-2:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-2" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region us-west-1 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region us-west-1 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-us-west-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:us-west-1:211203495394:detector/unknown", "region": "us-west-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:us-west-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-1" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty in region us-west-2 has issues: no delegated administrator configured, detector not enabled.", "metadata": { "event_code": "guardduty_delegated_admin_enabled_all_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty in region us-west-2 has issues: no delegated administrator configured, detector not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [ "guardduty_is_enabled", "guardduty_centrally_managed" ], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_multi-account.html", "https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html" ], "notes": "This check requires execution from the organization management account or delegated administrator account to access organization-level APIs.", "compliance": {}, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** has a delegated administrator configured at the organization level, detectors are enabled in all opted-in regions, and organization auto-enable is active for new member accounts.", "title": "GuardDuty has delegated admin configured and is enabled in all regions with organization auto-enable", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-guardduty_delegated_admin_enabled_all_regions-211203495394-us-west-2-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-2", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:us-west-2:211203495394:detector/unknown", "region": "us-west-2", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:us-west-2:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-2" }, "remediation": { "desc": "Configure a **delegated administrator** for GuardDuty via AWS Organizations. Enable GuardDuty detectors in **all opted-in regions** and configure **auto-enable** to automatically enroll new member accounts. This ensures consistent threat detection coverage across the entire organization.", "references": [ "https://hub.prowler.com/check/guardduty_delegated_admin_enabled_all_regions" ] }, "risk_details": "Without org-wide **Amazon GuardDuty** configuration, gaps can occur where detectors are enabled in some regions but not others, delegated admin is inconsistent, and new accounts are not auto-enrolled. This fragments **threat visibility**, delays **incident response**, and allows adversaries to exploit unmonitored regions or accounts for **lateral movement** and **data exfiltration**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-ap-northeast-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:ap-northeast-1:211203495394:detector/unknown", "region": "ap-northeast-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:ap-northeast-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-1" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-ap-northeast-2-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-2", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:ap-northeast-2:211203495394:detector/unknown", "region": "ap-northeast-2", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:ap-northeast-2:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-2" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-ap-northeast-3-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-3", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:ap-northeast-3:211203495394:detector/unknown", "region": "ap-northeast-3", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:ap-northeast-3:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-3" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-ap-south-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-south-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:ap-south-1:211203495394:detector/unknown", "region": "ap-south-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:ap-south-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-south-1" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-ap-southeast-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:ap-southeast-1:211203495394:detector/unknown", "region": "ap-southeast-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:ap-southeast-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-1" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-ap-southeast-2-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-2", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:ap-southeast-2:211203495394:detector/unknown", "region": "ap-southeast-2", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:ap-southeast-2:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-2" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-ca-central-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ca-central-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:ca-central-1:211203495394:detector/unknown", "region": "ca-central-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:ca-central-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ca-central-1" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-eu-central-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-central-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:eu-central-1:211203495394:detector/unknown", "region": "eu-central-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:eu-central-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-central-1" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-eu-north-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-north-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:eu-north-1:211203495394:detector/unknown", "region": "eu-north-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:eu-north-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-north-1" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-eu-west-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:eu-west-1:211203495394:detector/unknown", "region": "eu-west-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:eu-west-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-1" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-eu-west-2-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-2", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:eu-west-2:211203495394:detector/unknown", "region": "eu-west-2", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:eu-west-2:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-2" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-eu-west-3-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-3", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:eu-west-3:211203495394:detector/unknown", "region": "eu-west-3", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:eu-west-3:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-3" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-sa-east-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "sa-east-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:sa-east-1:211203495394:detector/unknown", "region": "sa-east-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:sa-east-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "sa-east-1" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-us-east-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:us-east-1:211203495394:detector/unknown", "region": "us-east-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:us-east-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-us-east-2-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-2", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:us-east-2:211203495394:detector/unknown", "region": "us-east-2", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:us-east-2:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-2" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-us-west-1-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-1", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:us-west-1:211203495394:detector/unknown", "region": "us-west-1", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:us-west-1:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-1" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "GuardDuty is not enabled.", "metadata": { "event_code": "guardduty_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "GuardDuty is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html", "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa", "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/GuardDuty/guardduty-enabled.html", "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_a", "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "cm-8", "ir-4", "sc-5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "ac_2_12_a", "ac_3_12_b", "au_3_1", "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "cm_8_3_a", "pe_6_2", "pe_6_4", "pm_14_a_1", "pm_14_b", "pm_16", "pm_31", "ra_1_a", "ra_1_a_1", "ra_1_a_2", "ra_3_4", "ra_3_a_1", "ra_5_a", "ra_5_4", "ra_10_a", "ra_10_a_1", "ra_10_a_2", "sc_5_1", "sc_5_3_a", "sc_5_3_b", "sc_5_a", "sc_5_b", "sc_43_b", "si_3_8_a", "si_4_a", "si_4_a_1", "si_4_a_2", "si_4_b", "si_4_c", "si_4_1", "si_4_2", "si_4_3", "si_4_4_a", "si_4_4_b", "si_4_10", "si_4_13_a", "si_4_14", "si_4_23", "si_4_25", "si_5_1", "si_5_b" ], "AWS-Foundational-Technical-Review": [ "IAM-002" ], "CCC-v2025.10": [ "CCC.Core.CN07.AR01", "CCC.IAM.CN10.AR01" ], "PCI-3.2.1": [ "11.4", "11.4.a", "11.4.b", "11.4.c" ], "CSA-CCM-4.0": [ "CCC-07", "GRC-05", "IVS-09", "LOG-03", "LOG-13", "SEF-06", "TVM-04", "TVM-07" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "11.5.1.1.2", "11.5.1.2" ], "FFIEC": [ "d1-rm-ra-b-2", "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04", "SEC05-BP04" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_3_2", "cc_4_2", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "C5-2025": [ "OPS-05.03AC", "OPS-13.01B", "OPS-23.01B", "SIM-01.02AC" ], "ISO27001-2022": [ "A.5.19", "A.5.21", "A.5.25", "A.5.28", "A.5.29", "A.8.7", "A.8.9" ], "AWS-Foundational-Security-Best-Practices": [ "GuardDuty.1" ], "SecNumCloud-3.2": [ "12.4", "12.9", "13.3", "16.2" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "ra_5", "sa_10", "si_4_1", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Alert on each High finding", "Enable as part of central configuration for Organization", "Threat Detection", "RDS protection", "Lambda protection", "S3 protection", "Malware Scanning", "Confirm that events are present in SIEM", "Apply suppression filters to disable useless findings", "Include in process of incident response based on events", "Runtime protection" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1", "cm_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "cm-8-3-a", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "ra-5", "sa-10", "sc-5", "si-4-1", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_2", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_4", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.6.aws.gd.1", "op.exp.7.aws.gd.1", "op.mon.1.aws.gd.1", "op.mon.1.aws.gd.2", "op.mon.3.r1.aws.gd.1", "op.mon.3.r3.aws.gd.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1552", "T1048", "T1496", "T1498", "T1580", "T1526", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.", "title": "GuardDuty detector is enabled and not suspended", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-guardduty_is_enabled-211203495394-us-west-2-detector/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-2", "data": { "details": "", "metadata": { "id": "detector/unknown", "arn": "arn:aws:guardduty:us-west-2:211203495394:detector/unknown", "region": "us-west-2", "enabled_in_account": false, "status": null, "findings": [], "member_accounts": [], "administrator_account": null, "tags": [], "s3_protection": false, "rds_protection": false, "eks_audit_log_protection": false, "eks_runtime_monitoring": false, "lambda_protection": false, "ec2_malware_protection": false, "organization_auto_enable_members": "NONE", "organization_config_available": false } }, "group": { "name": "guardduty" }, "labels": [], "name": "detector/unknown", "type": "AwsGuardDutyDetector", "uid": "arn:aws:guardduty:us-west-2:211203495394:detector/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-2" }, "remediation": { "desc": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.", "references": [ "https://hub.prowler.com/check/guardduty_is_enabled" ] }, "risk_details": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Root user in the account wasn't accessed in the last 1 days.", "metadata": { "event_code": "iam_avoid_root_usage", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Root user in the account wasn't accessed in the last 1 days.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-best-practices.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/root-account-used-recently.html" ], "notes": "", "compliance": { "NIS2": [ "6.7.2.e", "11.3.2.b", "11.3.2.c", "11.4.2.a" ], "CIS-6.0": [ "2.6" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR02" ], "CIS-2.0": [ "1.7" ], "CSA-CCM-4.0": [ "IAM-09", "IAM-10" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.5" ], "CIS-4.0.1": [ "1.7" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP01" ], "CIS-3.0": [ "1.7" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.10.2" ], "C5-2025": [ "IAM-03.01B", "IAM-03.03B", "IAM-06.02B", "IAM-06.04B" ], "ISO27001-2022": [ "A.5.15" ], "SecNumCloud-3.2": [ "9.6" ], "CIS-1.4": [ "1.7" ], "CIS-5.0": [ "1.6" ], "CIS-1.5": [ "1.7" ], "AWS-Account-Security-Onboarding": [ "Block root user" ], "ENS-RD2022": [ "op.acc.2.aws.iam.4", "op.acc.4.aws.iam.7" ], "MITRE-ATTACK": [ "T1078", "T1098" ], "ISO27001-2013": [ "A.9.2.H", "A.9.4.H" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS IAM root user** activity is assessed by inspecting `last-used` timestamps for the root password and access keys. The finding indicates when the root identity has been used recently for console or programmatic access.", "title": "AWS account root user has not been used in the last day", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_avoid_root_usage-211203495394-us-east-1-" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "user": "", "arn": "arn:aws:iam::211203495394:root", "user_creation_time": "2025-10-03T16:10:08Z", "password_enabled": "true", "password_last_used": "2026-04-09T09:51:05Z", "password_last_changed": "2025-10-03T16:10:08Z", "password_next_rotation": "not_supported", "mfa_active": "true", "access_key_1_active": "false", "access_key_1_last_rotated": "N/A", "access_key_1_last_used_date": "N/A", "access_key_1_last_used_region": "N/A", "access_key_1_last_used_service": "N/A", "access_key_2_active": "false", "access_key_2_last_rotated": "N/A", "access_key_2_last_used_date": "N/A", "access_key_2_last_used_region": "N/A", "access_key_2_last_used_service": "N/A", "cert_1_active": "false", "cert_1_last_rotated": "N/A", "cert_2_active": "false", "cert_2_last_rotated": "N/A" } }, "group": { "name": "iam" }, "labels": [], "name": "", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:root" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Minimize `root` usage by applying **least privilege** with admin roles or federated SSO and temporary credentials.\n- Enforce **MFA** on root\n- Avoid or remove root access keys\n- Require multi-person approval\n- **Monitor and alert** on any root sign-in\n- Use org guardrails for **defense in depth**", "references": [ "https://hub.prowler.com/check/iam_avoid_root_usage" ] }, "risk_details": "Recent **root usage** expands blast radius:\n- Data exfiltration (**confidentiality**)\n- Policy/key tampering (**integrity**)\n- Resource deletion and billing changes (**availability**)\nRoutine use reduces anomaly visibility and eases **account takeover** impact.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS policy ElastiCacheServiceRolePolicy is attached but does not allow '*:*' administrative privileges.", "metadata": { "event_code": "iam_aws_attached_policy_no_administrative_privileges", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "AWS policy ElastiCacheServiceRolePolicy is attached but does not allow '*:*' administrative privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", "https://support.icompaas.com/support/solutions/articles/62000233815-ensure-iam-roles-do-not-have-administratoraccess-policy-attached", "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" ], "notes": "CAF Security Epic: IAM", "compliance": { "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_3_i", "164_308_a_3_ii_b", "164_308_a_4_i", "164_308_a_4_ii_b", "164_308_a_4_ii_c", "164_312_a_1" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-3" ], "CIS-6.0": [ "2.15" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_6", "ac_2_i_2", "ac_3", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_7", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_5_b", "ac_6", "ac_6_2", "ac_6_3", "ac_6_10", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "mp_2", "sc_23_3", "sc_25" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN01.AR01", "CCC.IAM.CN01.AR02", "CCC.IAM.CN02.AR01", "CCC.IAM.CN02.AR02", "CCC.IAM.CN04.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_1" ], "CIS-2.0": [ "1.16" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-16" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-3" ], "FFIEC": [ "d3-pc-am-b-1", "d3-pc-am-b-16", "d3-pc-am-b-2", "d3-pc-am-b-3", "d3-pc-am-b-6", "d3-pc-im-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.3.1" ], "CIS-4.0.1": [ "1.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP02" ], "CIS-3.0": [ "1.16" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_1_3", "cc_6_3" ], "C5-2025": [ "OIS-04.03B", "OIS-04.01AC", "SP-01.04B", "HR-01.01B", "IAM-01.01B", "IAM-01.04B" ], "ISO27001-2022": [ "A.5.18", "A.8.2" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.1" ], "SecNumCloud-3.2": [ "9.1" ], "CIS-1.4": [ "1.16" ], "NIST-800-53-Revision-4": [ "ac_2", "ac_3", "ac_5", "ac_6", "sc_2" ], "NIST-CSF-1.1": [ "ac_1", "ac_4", "pt_3" ], "CIS-5.0": [ "1.15" ], "CIS-1.5": [ "1.16" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1", "ac_1" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-3", "ac-5-c", "ac-6-10", "ac-6", "sc-2" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_1_4", "3_1_5", "3_1_6", "3_1_7", "3_4_6", "3_13_3" ], "ENS-RD2022": [ "op.acc.4.aws.iam.1", "op.acc.4.aws.iam.2", "op.acc.4.aws.iam.9", "op.exp.8.r4.aws.ct.8" ], "MITRE-ATTACK": [ "T1078", "T1648", "T1098", "T1578", "T1550", "T1040", "T1580", "T1538", "T1619", "T1201" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM AWS-managed policies** attached to identities are inspected for statements that allow `Action:'*'` on `Resource:'*'`-i.e., full administrative `*:*` permissions", "title": "Attached AWS-managed IAM policy does not allow '*:*' administrative privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_aws_attached_policy_no_administrative_privileges-211203495394-us-east-1-ElastiCacheServiceRolePolicy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "ElastiCacheServiceRolePolicy", "arn": "arn:aws:iam::aws:policy/aws-service-role/ElastiCacheServiceRolePolicy", "entity": "ANPAIML5LIBUZBVCSF7PI", "version_id": "v4", "type": "AWS", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Sid": "ElastiCacheManagementActions", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:DeleteNetworkInterface", "ec2:DeleteSecurityGroup", "ec2:DescribeAvailabilityZones", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints", "ec2:ModifyNetworkInterfaceAttribute", "ec2:RevokeSecurityGroupIngress", "cloudwatch:PutMetricData", "outposts:GetOutpost", "outposts:GetOutpostInstanceTypes", "outposts:ListOutposts", "outposts:ListSites" ], "Resource": "*" }, { "Sid": "CreateDeleteVPCEndpoints", "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:DeleteVpcEndpoints" ], "Resource": "arn:aws:ec2:*:*:vpc-endpoint/*", "Condition": { "StringLike": { "ec2:VpceServiceName": "com.amazonaws.elasticache.serverless.*" } } }, { "Sid": "TagVPCEndpointsOnCreation", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:vpc-endpoint/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateVpcEndpoint", "aws:RequestTag/AmazonElastiCacheManaged": "true" } } }, { "Sid": "ModifyVpcEndpoints", "Effect": "Allow", "Action": [ "ec2:ModifyVpcEndpoint" ], "Resource": "arn:aws:ec2:*:*:vpc-endpoint/*", "Condition": { "StringEquals": { "ec2:ResourceTag/AmazonElastiCacheManaged": "true" } } }, { "Sid": "AllowAccessToElastiCacheTaggedVpcEndpoints", "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:ModifyVpcEndpoint" ], "NotResource": "arn:aws:ec2:*:*:vpc-endpoint/*" } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "ElastiCacheServiceRolePolicy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::aws:policy/aws-service-role/ElastiCacheServiceRolePolicy" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege**: avoid attaching AWS-managed policies that grant `*:*`.\n- Use **customer-managed, scoped policies** per role\n- Enforce **separation of duties** and **permissions boundaries**\n- Prefer **temporary, time-bound elevation** for emergencies with MFA\n- Regularly review access and use conditions to constrain context", "references": [ "https://hub.prowler.com/check/iam_aws_attached_policy_no_administrative_privileges" ] }, "risk_details": "**Unrestricted `*:*` access** enables any action on any resource, risking:\n- Data exfiltration (**confidentiality**)\n- Unauthorized changes and policy tampering (**integrity**)\n- Service deletion or shutdown (**availability**)\nAttackers can disable logging, create backdoor principals, and expand lateral movement.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS policy AWSTrustedAdvisorServiceRolePolicy is attached but does not allow '*:*' administrative privileges.", "metadata": { "event_code": "iam_aws_attached_policy_no_administrative_privileges", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "AWS policy AWSTrustedAdvisorServiceRolePolicy is attached but does not allow '*:*' administrative privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", "https://support.icompaas.com/support/solutions/articles/62000233815-ensure-iam-roles-do-not-have-administratoraccess-policy-attached", "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" ], "notes": "CAF Security Epic: IAM", "compliance": { "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_3_i", "164_308_a_3_ii_b", "164_308_a_4_i", "164_308_a_4_ii_b", "164_308_a_4_ii_c", "164_312_a_1" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-3" ], "CIS-6.0": [ "2.15" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_6", "ac_2_i_2", "ac_3", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_7", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_5_b", "ac_6", "ac_6_2", "ac_6_3", "ac_6_10", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "mp_2", "sc_23_3", "sc_25" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN01.AR01", "CCC.IAM.CN01.AR02", "CCC.IAM.CN02.AR01", "CCC.IAM.CN02.AR02", "CCC.IAM.CN04.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_1" ], "CIS-2.0": [ "1.16" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-16" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-3" ], "FFIEC": [ "d3-pc-am-b-1", "d3-pc-am-b-16", "d3-pc-am-b-2", "d3-pc-am-b-3", "d3-pc-am-b-6", "d3-pc-im-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.3.1" ], "CIS-4.0.1": [ "1.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP02" ], "CIS-3.0": [ "1.16" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_1_3", "cc_6_3" ], "C5-2025": [ "OIS-04.03B", "OIS-04.01AC", "SP-01.04B", "HR-01.01B", "IAM-01.01B", "IAM-01.04B" ], "ISO27001-2022": [ "A.5.18", "A.8.2" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.1" ], "SecNumCloud-3.2": [ "9.1" ], "CIS-1.4": [ "1.16" ], "NIST-800-53-Revision-4": [ "ac_2", "ac_3", "ac_5", "ac_6", "sc_2" ], "NIST-CSF-1.1": [ "ac_1", "ac_4", "pt_3" ], "CIS-5.0": [ "1.15" ], "CIS-1.5": [ "1.16" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1", "ac_1" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-3", "ac-5-c", "ac-6-10", "ac-6", "sc-2" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_1_4", "3_1_5", "3_1_6", "3_1_7", "3_4_6", "3_13_3" ], "ENS-RD2022": [ "op.acc.4.aws.iam.1", "op.acc.4.aws.iam.2", "op.acc.4.aws.iam.9", "op.exp.8.r4.aws.ct.8" ], "MITRE-ATTACK": [ "T1078", "T1648", "T1098", "T1578", "T1550", "T1040", "T1580", "T1538", "T1619", "T1201" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM AWS-managed policies** attached to identities are inspected for statements that allow `Action:'*'` on `Resource:'*'`-i.e., full administrative `*:*` permissions", "title": "Attached AWS-managed IAM policy does not allow '*:*' administrative privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_aws_attached_policy_no_administrative_privileges-211203495394-us-east-1-AWSTrustedAdvisorServiceRolePolicy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "AWSTrustedAdvisorServiceRolePolicy", "arn": "arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorServiceRolePolicy", "entity": "ANPAJH4QJ2WMHBOB47BUE", "version_id": "v14", "type": "AWS", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Sid": "TrustedAdvisorServiceRolePermissions", "Effect": "Allow", "Action": [ "access-analyzer:ListAnalyzers", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "ce:GetReservationPurchaseRecommendation", "ce:GetSavingsPlansPurchaseRecommendation", "cloudformation:DescribeAccountLimits", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudfront:ListDistributions", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:GetTrail", "cloudtrail:ListTrails", "cloudtrail:GetEventSelectors", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "dax:DescribeClusters", "dynamodb:DescribeLimits", "dynamodb:DescribeTable", "dynamodb:ListTables", "ec2:DescribeAddresses", "ec2:DescribeReservedInstances", "ec2:DescribeInstances", "ec2:DescribeVpcs", "ec2:DescribeInternetGateways", "ec2:DescribeImages", "ec2:DescribeNatGateways", "ec2:DescribeVolumes", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeRegions", "ec2:DescribeReservedInstancesOfferings", "ec2:DescribeRouteTables", "ec2:DescribeSnapshots", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:DescribeLaunchTemplateVersions", "ec2:GetManagedPrefixListEntries", "ecs:DescribeTaskDefinition", "ecs:ListTaskDefinitions", "elasticloadbalancing:DescribeAccountLimits", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "iam:GenerateCredentialReport", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:GetCredentialReport", "iam:GetServerCertificate", "iam:ListServerCertificates", "iam:ListSAMLProviders", "kinesis:DescribeLimits", "kafka:DescribeClusterV2", "kafka:ListClustersV2", "kafka:ListNodes", "network-firewall:ListFirewalls", "network-firewall:DescribeFirewall", "outposts:ListAssets", "outposts:GetOutpost", "outposts:ListOutposts", "rds:DescribeAccountAttributes", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEngineDefaultParameters", "rds:DescribeEvents", "rds:DescribeOptionGroupOptions", "rds:DescribeOptionGroups", "rds:DescribeOrderableDBInstanceOptions", "rds:DescribeReservedDBInstances", "rds:DescribeReservedDBInstancesOfferings", "rds:ListTagsForResource", "redshift:DescribeClusters", "redshift:DescribeReservedNodeOfferings", "redshift:DescribeReservedNodes", "route53:GetAccountLimit", "route53:GetHealthCheck", "route53:GetHostedZone", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListResourceRecordSets", "route53resolver:ListResolverEndpoints", "route53resolver:ListResolverEndpointIpAddresses", "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketVersioning", "s3:GetBucketPublicAccessBlock", "s3:GetLifecycleConfiguration", "s3:ListBucket", "s3:ListAllMyBuckets", "ses:GetSendQuota", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "Resource": "*" } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "AWSTrustedAdvisorServiceRolePolicy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorServiceRolePolicy" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege**: avoid attaching AWS-managed policies that grant `*:*`.\n- Use **customer-managed, scoped policies** per role\n- Enforce **separation of duties** and **permissions boundaries**\n- Prefer **temporary, time-bound elevation** for emergencies with MFA\n- Regularly review access and use conditions to constrain context", "references": [ "https://hub.prowler.com/check/iam_aws_attached_policy_no_administrative_privileges" ] }, "risk_details": "**Unrestricted `*:*` access** enables any action on any resource, risking:\n- Data exfiltration (**confidentiality**)\n- Unauthorized changes and policy tampering (**integrity**)\n- Service deletion or shutdown (**availability**)\nAttackers can disable logging, create backdoor principals, and expand lateral movement.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS policy AdministratorAccess is attached and allows '*:*' administrative privileges.", "metadata": { "event_code": "iam_aws_attached_policy_no_administrative_privileges", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "FAIL", "status_detail": "AWS policy AdministratorAccess is attached and allows '*:*' administrative privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", "https://support.icompaas.com/support/solutions/articles/62000233815-ensure-iam-roles-do-not-have-administratoraccess-policy-attached", "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" ], "notes": "CAF Security Epic: IAM", "compliance": { "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_3_i", "164_308_a_3_ii_b", "164_308_a_4_i", "164_308_a_4_ii_b", "164_308_a_4_ii_c", "164_312_a_1" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-3" ], "CIS-6.0": [ "2.15" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_6", "ac_2_i_2", "ac_3", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_7", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_5_b", "ac_6", "ac_6_2", "ac_6_3", "ac_6_10", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "mp_2", "sc_23_3", "sc_25" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN01.AR01", "CCC.IAM.CN01.AR02", "CCC.IAM.CN02.AR01", "CCC.IAM.CN02.AR02", "CCC.IAM.CN04.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_1" ], "CIS-2.0": [ "1.16" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-16" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-3" ], "FFIEC": [ "d3-pc-am-b-1", "d3-pc-am-b-16", "d3-pc-am-b-2", "d3-pc-am-b-3", "d3-pc-am-b-6", "d3-pc-im-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.3.1" ], "CIS-4.0.1": [ "1.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP02" ], "CIS-3.0": [ "1.16" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_1_3", "cc_6_3" ], "C5-2025": [ "OIS-04.03B", "OIS-04.01AC", "SP-01.04B", "HR-01.01B", "IAM-01.01B", "IAM-01.04B" ], "ISO27001-2022": [ "A.5.18", "A.8.2" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.1" ], "SecNumCloud-3.2": [ "9.1" ], "CIS-1.4": [ "1.16" ], "NIST-800-53-Revision-4": [ "ac_2", "ac_3", "ac_5", "ac_6", "sc_2" ], "NIST-CSF-1.1": [ "ac_1", "ac_4", "pt_3" ], "CIS-5.0": [ "1.15" ], "CIS-1.5": [ "1.16" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1", "ac_1" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-3", "ac-5-c", "ac-6-10", "ac-6", "sc-2" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_1_4", "3_1_5", "3_1_6", "3_1_7", "3_4_6", "3_13_3" ], "ENS-RD2022": [ "op.acc.4.aws.iam.1", "op.acc.4.aws.iam.2", "op.acc.4.aws.iam.9", "op.exp.8.r4.aws.ct.8" ], "MITRE-ATTACK": [ "T1078", "T1648", "T1098", "T1578", "T1550", "T1040", "T1580", "T1538", "T1619", "T1201" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM AWS-managed policies** attached to identities are inspected for statements that allow `Action:'*'` on `Resource:'*'`-i.e., full administrative `*:*` permissions", "title": "Attached AWS-managed IAM policy does not allow '*:*' administrative privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_aws_attached_policy_no_administrative_privileges-211203495394-us-east-1-AdministratorAccess" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "AdministratorAccess", "arn": "arn:aws:iam::aws:policy/AdministratorAccess", "entity": "ANPAIWMBCKSKIEE64ZLYK", "version_id": "v1", "type": "AWS", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "AdministratorAccess", "type": "AwsIamPolicy", "uid": "arn:aws:iam::aws:policy/AdministratorAccess" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege**: avoid attaching AWS-managed policies that grant `*:*`.\n- Use **customer-managed, scoped policies** per role\n- Enforce **separation of duties** and **permissions boundaries**\n- Prefer **temporary, time-bound elevation** for emergencies with MFA\n- Regularly review access and use conditions to constrain context", "references": [ "https://hub.prowler.com/check/iam_aws_attached_policy_no_administrative_privileges" ] }, "risk_details": "**Unrestricted `*:*` access** enables any action on any resource, risking:\n- Data exfiltration (**confidentiality**)\n- Unauthorized changes and policy tampering (**integrity**)\n- Service deletion or shutdown (**availability**)\nAttackers can disable logging, create backdoor principals, and expand lateral movement.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS policy AWSSupportServiceRolePolicy is attached but does not allow '*:*' administrative privileges.", "metadata": { "event_code": "iam_aws_attached_policy_no_administrative_privileges", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "AWS policy AWSSupportServiceRolePolicy is attached but does not allow '*:*' administrative privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", "https://support.icompaas.com/support/solutions/articles/62000233815-ensure-iam-roles-do-not-have-administratoraccess-policy-attached", "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" ], "notes": "CAF Security Epic: IAM", "compliance": { "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_3_i", "164_308_a_3_ii_b", "164_308_a_4_i", "164_308_a_4_ii_b", "164_308_a_4_ii_c", "164_312_a_1" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-3" ], "CIS-6.0": [ "2.15" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_6", "ac_2_i_2", "ac_3", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_7", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_5_b", "ac_6", "ac_6_2", "ac_6_3", "ac_6_10", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "mp_2", "sc_23_3", "sc_25" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN01.AR01", "CCC.IAM.CN01.AR02", "CCC.IAM.CN02.AR01", "CCC.IAM.CN02.AR02", "CCC.IAM.CN04.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_1" ], "CIS-2.0": [ "1.16" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-16" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-3" ], "FFIEC": [ "d3-pc-am-b-1", "d3-pc-am-b-16", "d3-pc-am-b-2", "d3-pc-am-b-3", "d3-pc-am-b-6", "d3-pc-im-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.3.1" ], "CIS-4.0.1": [ "1.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP02" ], "CIS-3.0": [ "1.16" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_1_3", "cc_6_3" ], "C5-2025": [ "OIS-04.03B", "OIS-04.01AC", "SP-01.04B", "HR-01.01B", "IAM-01.01B", "IAM-01.04B" ], "ISO27001-2022": [ "A.5.18", "A.8.2" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.1" ], "SecNumCloud-3.2": [ "9.1" ], "CIS-1.4": [ "1.16" ], "NIST-800-53-Revision-4": [ "ac_2", "ac_3", "ac_5", "ac_6", "sc_2" ], "NIST-CSF-1.1": [ "ac_1", "ac_4", "pt_3" ], "CIS-5.0": [ "1.15" ], "CIS-1.5": [ "1.16" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1", "ac_1" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-3", "ac-5-c", "ac-6-10", "ac-6", "sc-2" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_1_4", "3_1_5", "3_1_6", "3_1_7", "3_4_6", "3_13_3" ], "ENS-RD2022": [ "op.acc.4.aws.iam.1", "op.acc.4.aws.iam.2", "op.acc.4.aws.iam.9", "op.exp.8.r4.aws.ct.8" ], "MITRE-ATTACK": [ "T1078", "T1648", "T1098", "T1578", "T1550", "T1040", "T1580", "T1538", "T1619", "T1201" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM AWS-managed policies** attached to identities are inspected for statements that allow `Action:'*'` on `Resource:'*'`-i.e., full administrative `*:*` permissions", "title": "Attached AWS-managed IAM policy does not allow '*:*' administrative privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_aws_attached_policy_no_administrative_privileges-211203495394-us-east-1-AWSSupportServiceRolePolicy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "AWSSupportServiceRolePolicy", "arn": "arn:aws:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy", "entity": "ANPAJ7W6266ELXF5MISDS", "version_id": "v56", "type": "AWS", "attached": true, "document": { "Statement": [ { "Sid": "AWSSupportAPIGatewayAccess", "Action": [ "apigateway:GET" ], "Effect": "Allow", "Resource": [ "arn:aws:apigateway:*::/account", "arn:aws:apigateway:*::/apis", "arn:aws:apigateway:*::/apis/*", "arn:aws:apigateway:*::/apis/*/authorizers", "arn:aws:apigateway:*::/apis/*/authorizers/*", "arn:aws:apigateway:*::/apis/*/deployments", "arn:aws:apigateway:*::/apis/*/deployments/*", "arn:aws:apigateway:*::/apis/*/integrations", "arn:aws:apigateway:*::/apis/*/integrations/*", "arn:aws:apigateway:*::/apis/*/integrations/*/integrationresponses", "arn:aws:apigateway:*::/apis/*/integrations/*/integrationresponses/*", "arn:aws:apigateway:*::/apis/*/models", "arn:aws:apigateway:*::/apis/*/models/*", "arn:aws:apigateway:*::/apis/*/routes", "arn:aws:apigateway:*::/apis/*/routes/*", "arn:aws:apigateway:*::/apis/*/routes/*/routeresponses", "arn:aws:apigateway:*::/apis/*/routes/*/routeresponses/*", "arn:aws:apigateway:*::/apis/*/stages", "arn:aws:apigateway:*::/apis/*/stages/*", "arn:aws:apigateway:*::/clientcertificates", "arn:aws:apigateway:*::/clientcertificates/*", "arn:aws:apigateway:*::/domainnames", "arn:aws:apigateway:*::/domainnames/*", "arn:aws:apigateway:*::/domainnames/*/apimappings", "arn:aws:apigateway:*::/domainnames/*/apimappings/*", "arn:aws:apigateway:*::/domainnames/*/basepathmappings", "arn:aws:apigateway:*::/domainnames/*/basepathmappings/*", "arn:aws:apigateway:*::/restapis", "arn:aws:apigateway:*::/restapis/*", "arn:aws:apigateway:*::/restapis/*/authorizers", "arn:aws:apigateway:*::/restapis/*/authorizers/*", "arn:aws:apigateway:*::/restapis/*/deployments", "arn:aws:apigateway:*::/restapis/*/deployments/*", "arn:aws:apigateway:*::/restapis/*/models", "arn:aws:apigateway:*::/restapis/*/models/*", "arn:aws:apigateway:*::/restapis/*/models/*/default_template", "arn:aws:apigateway:*::/restapis/*/resources", "arn:aws:apigateway:*::/restapis/*/resources/*", "arn:aws:apigateway:*::/restapis/*/resources/*/methods/*/integration/responses/*", "arn:aws:apigateway:*::/restapis/*/resources/*/methods/*/responses/*", "arn:aws:apigateway:*::/restapis/*/stages/*/sdks/*", "arn:aws:apigateway:*::/restapis/*/resources/*/methods/*", "arn:aws:apigateway:*::/restapis/*/resources/*/methods/*/integration", "arn:aws:apigateway:*::/restapis/*/stages", "arn:aws:apigateway:*::/restapis/*/stages/*", "arn:aws:apigateway:*::/usageplans", "arn:aws:apigateway:*::/usageplans/*", "arn:aws:apigateway:*::/vpclinks", "arn:aws:apigateway:*::/vpclinks/*" ] }, { "Sid": "AWSSupportDeleteRoleAccess", "Action": [ "iam:DeleteRole" ], "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport" ] }, { "Sid": "AWSSupportActionsGroup1", "Action": [ "access-analyzer:getAccessPreview", "access-analyzer:getAnalyzedResource", "access-analyzer:getAnalyzer", "access-analyzer:getArchiveRule", "access-analyzer:getFinding", "access-analyzer:getGeneratedPolicy", "access-analyzer:listAccessPreviewFindings", "access-analyzer:listAccessPreviews", "access-analyzer:listAnalyzedResources", "access-analyzer:listAnalyzers", "access-analyzer:listArchiveRules", "access-analyzer:listFindings", "access-analyzer:listPolicyGenerations", "account:getRegionOptStatus", "account:listRegions", "acm-pca:describeCertificateAuthority", "acm-pca:describeCertificateAuthorityAuditReport", "acm-pca:getCertificate", "acm-pca:getCertificateAuthorityCertificate", "acm-pca:getCertificateAuthorityCsr", "acm-pca:listCertificateAuthorities", "acm-pca:listTags", "acm:describeCertificate", "acm:getAccountConfiguration", "acm:getCertificate", "acm:listCertificates", "acm:listTagsForCertificate", "aiops:getInvestigationGroup", "aiops:getInvestigationGroupPolicy", "aiops:listInvestigationGroups", "airflow:getEnvironment", "airflow:listEnvironments", "airflow:listTagsForResource", "amplify:getApp", "amplify:getBackendEnvironment", "amplify:getBranch", "amplify:getDomainAssociation", "amplify:getJob", "amplify:getWebhook", "amplify:listApps", "amplify:listBackendEnvironments", "amplify:listBranches", "amplify:listDomainAssociations", "amplify:listJobs", "amplify:listWebhooks", "amplifyuibuilder:exportComponents", "amplifyuibuilder:exportThemes", "aoss:batchGetCollection", "aoss:batchGetEffectiveLifecyclePolicy", "aoss:batchGetLifecyclePolicy", "aoss:batchGetVpcEndpoint", "aoss:getAccessPolicy", "aoss:getAccountSettings", "aoss:getPoliciesStats", "aoss:getSecurityConfig", "aoss:getSecurityPolicy", "aoss:listAccessPolicies", "aoss:listCollections", "aoss:listLifecyclePolicies", "aoss:listSecurityConfigs", "aoss:listSecurityPolicies", "aoss:listTagsForResource", "aoss:listVpcEndpoints", "appconfig:getApplication", "appconfig:getConfigurationProfile", "appconfig:getDeployment", "appconfig:getDeploymentStrategy", "appconfig:getEnvironment", "appconfig:getExtension", "appconfig:getExtensionAssociation", "appconfig:listApplications", "appconfig:listConfigurationProfiles", "appconfig:listDeployments", "appconfig:listDeploymentStrategies", "appconfig:listEnvironments", "appconfig:listExtensionAssociations", "appconfig:listExtensions", "appconfig:listHostedConfigurationVersions", "appflow:describeConnectorEntity", "appflow:describeConnectorProfiles", "appflow:describeConnectors", "appflow:describeFlow", "appflow:describeFlowExecutionRecords", "appflow:listConnectorEntities", "appflow:listFlows", "application-autoscaling:describeScalableTargets", "application-autoscaling:describeScalingActivities", "application-autoscaling:describeScalingPolicies", "application-autoscaling:describeScheduledActions", "application-signals:getService", "application-signals:getServiceLevelObjective", "application-signals:listServiceDependencies", "application-signals:listServiceDependents", "application-signals:listServiceLevelObjectives", "application-signals:listServiceOperations", "application-signals:listServices", "applicationinsights:describeApplication", "applicationinsights:describeComponent", "applicationinsights:describeComponentConfiguration", "applicationinsights:describeComponentConfigurationRecommendation", "applicationinsights:describeLogPattern", "applicationinsights:describeObservation", "applicationinsights:describeProblem", "applicationinsights:describeProblemObservations", "applicationinsights:listApplications", "applicationinsights:listComponents", "applicationinsights:listConfigurationHistory", "applicationinsights:listLogPatterns", "applicationinsights:listLogPatternSets", "applicationinsights:listProblems", "appmesh:describeGatewayRoute", "appmesh:describeMesh", "appmesh:describeRoute", "appmesh:describeVirtualGateway", "appmesh:describeVirtualNode", "appmesh:describeVirtualRouter", "appmesh:describeVirtualService", "appmesh:listGatewayRoutes", "appmesh:listMeshes", "appmesh:listRoutes", "appmesh:listTagsForResource", "appmesh:listVirtualGateways", "appmesh:listVirtualNodes", "appmesh:listVirtualRouters", "appmesh:listVirtualServices", "apprunner:describeAutoScalingConfiguration", "apprunner:describeCustomDomains", "apprunner:describeObservabilityConfiguration", "apprunner:describeOperation", "apprunner:describeService", "apprunner:describeVpcConnector", "apprunner:describeVpcIngressConnection", "apprunner:listAutoScalingConfigurations", "apprunner:listConnections", "apprunner:listObservabilityConfigurations", "apprunner:listOperations", "apprunner:listServices", "apprunner:listTagsForResource", "apprunner:listVpcConnectors", "apprunner:listVpcIngressConnections", "appstream:describeAppBlockBuilderAppBlockAssociations", "appstream:describeAppBlockBuilders", "appstream:describeAppBlocks", "appstream:describeApplicationFleetAssociations", "appstream:describeApplications", "appstream:describeDirectoryConfigs", "appstream:describeEntitlements", "appstream:describeFleets", "appstream:describeImageBuilders", "appstream:describeImagePermissions", "appstream:describeImages", "appstream:describeSessions", "appstream:describeStacks", "appstream:describeUsageReportSubscriptions", "appstream:describeUsers", "appstream:describeUserStackAssociations", "appstream:listAssociatedFleets", "appstream:listAssociatedStacks", "appstream:listEntitledApplications", "appstream:listTagsForResource", "appsync:evaluateCode", "appsync:evaluateMappingTemplate", "appsync:getApi", "appsync:getApiAssociation", "appsync:getApiCache", "appsync:getChannelNamespace", "appsync:getDataSource", "appsync:getDataSourceIntrospection", "appsync:getDomainName", "appsync:getFunction", "appsync:getGraphqlApi", "appsync:getGraphqlApiEnvironmentVariables", "appsync:getIntrospectionSchema", "appsync:getResolver", "appsync:getSchemaCreationStatus", "appsync:getSourceApiAssociation", "appsync:getType", "appsync:listApis", "appsync:listChannelNamespaces", "appsync:listDataSources", "appsync:listDomainNames", "appsync:listFunctions", "appsync:listGraphqlApis", "appsync:listResolvers", "appsync:listResolversByFunction", "appsync:listSourceApiAssociations", "appsync:listTypes", "appsync:listTypesByAssociation", "aps:describeAlertManagerDefinition", "aps:describeRuleGroupsNamespace", "aps:describeScraper", "aps:describeWorkspace", "aps:listRuleGroupsNamespaces", "aps:listScrapers", "aps:listWorkspaces", "athena:batchGetNamedQuery", "athena:batchGetQueryExecution", "athena:getCalculationExecution", "athena:getCalculationExecutionStatus", "athena:getCapacityAssignmentConfiguration", "athena:getCapacityReservation", "athena:getDataCatalog", "athena:getNamedQuery", "athena:getNotebookMetadata", "athena:getQueryExecution", "athena:getQueryRuntimeStatistics", "athena:getSession", "athena:getSessionStatus", "athena:getWorkGroup", "athena:listApplicationDPUSizes", "athena:listCalculationExecutions", "athena:listCapacityReservations", "athena:listDataCatalogs", "athena:listEngineVersions", "athena:listExecutors", "athena:listNamedQueries", "athena:listNotebookMetadata", "athena:listNotebookSessions", "athena:listQueryExecutions", "athena:listSessions", "athena:listTagsForResource", "athena:listWorkGroups", "auditmanager:getAccountStatus", "auditmanager:getDelegations", "auditmanager:listAssessmentFrameworks", "auditmanager:listAssessmentReports", "auditmanager:listAssessments", "auditmanager:listControls", "auditmanager:listKeywordsForDataSource", "auditmanager:listNotifications", "autoscaling-plans:describeScalingPlanResources", "autoscaling-plans:describeScalingPlans", "autoscaling-plans:getScalingPlanResourceForecastData", "autoscaling:describeAccountLimits", "autoscaling:describeAdjustmentTypes", "autoscaling:describeAutoScalingGroups", "autoscaling:describeAutoScalingInstances", "autoscaling:describeAutoScalingNotificationTypes", "autoscaling:describeInstanceRefreshes", "autoscaling:describeLaunchConfigurations", "autoscaling:describeLifecycleHooks", "autoscaling:describeLifecycleHookTypes", "autoscaling:describeLoadBalancers", "autoscaling:describeLoadBalancerTargetGroups", "autoscaling:describeMetricCollectionTypes", "autoscaling:describeNotificationConfigurations", "autoscaling:describePolicies", "autoscaling:describeScalingActivities", "autoscaling:describeScalingProcessTypes", "autoscaling:describeScheduledActions", "autoscaling:describeTags", "autoscaling:describeTerminationPolicyTypes", "autoscaling:describeTrafficSources", "autoscaling:describeWarmPool", "backup-gateway:getBandwidthRateLimitSchedule", "backup-gateway:getGateway", "backup-gateway:getHypervisor", "backup-gateway:getHypervisorPropertyMappings", "backup-gateway:getVirtualMachine", "backup-gateway:listGateways", "backup-gateway:listHypervisors", "backup-gateway:listVirtualMachines", "backup-search:listSearchJobBackups", "backup-search:listSearchJobs", "backup:describeBackupJob", "backup:describeBackupVault", "backup:describeCopyJob", "backup:describeFramework", "backup:describeGlobalSettings", "backup:describeProtectedResource", "backup:describeRecoveryPoint", "backup:describeRegionSettings", "backup:describeReportJob", "backup:describeReportPlan", "backup:describeRestoreJob", "backup:getBackupPlan", "backup:getBackupPlanFromJSON", "backup:getBackupPlanFromTemplate", "backup:getBackupSelection", "backup:getBackupVaultAccessPolicy", "backup:getBackupVaultNotifications", "backup:getLegalHold", "backup:getRecoveryPointRestoreMetadata", "backup:getRecoveryPointIndexDetails", "backup:getRestoreJobMetadata", "backup:getRestoreTestingInferredMetadata", "backup:getRestoreTestingPlan", "backup:getRestoreTestingSelection", "backup:getSupportedResourceTypes", "backup:listBackupJobs", "backup:listBackupPlans", "backup:listBackupPlanTemplates", "backup:listBackupPlanVersions", "backup:listBackupSelections", "backup:listBackupVaults", "backup:listCopyJobs", "backup:listFrameworks", "backup:listIndexedRecoveryPoints", "backup:listLegalHolds", "backup:listProtectedResources", "backup:listRecoveryPointsByBackupVault", "backup:listRecoveryPointsByLegalHold", "backup:listRecoveryPointsByResource", "backup:listReportJobs", "backup:listReportPlans", "backup:listRestoreJobs", "backup:listRestoreJobsByProtectedResource", "backup:listRestoreTestingPlans", "backup:listRestoreTestingSelections", "backup:listTags", "batch:describeComputeEnvironments", "batch:describeJobDefinitions", "batch:describeJobQueues", "batch:describeJobs", "batch:describeSchedulingPolicies", "batch:listJobs", "bedrock:getAgent", "bedrock:getAgentActionGroup", "bedrock:getAgentAlias", "bedrock:getAgentKnowledgeBase", "bedrock:getAgentVersion", "bedrock:getAutomatedReasoningPolicy", "bedrock:getAutomatedReasoningPolicyAnnotations", "bedrock:getAutomatedReasoningPolicyBuildWorkflow", "bedrock:getAutomatedReasoningPolicyBuildWorkflowResultAssets", "bedrock:getAutomatedReasoningPolicyNextScenario", "bedrock:getAutomatedReasoningPolicyTestCase", "bedrock:getAutomatedReasoningPolicyTestResult", "bedrock:getCustomModel", "bedrock:getDataSource", "bedrock:getEvaluationJob", "bedrock:getFlow", "bedrock:getFlowAlias", "bedrock:getFlowVersion", "bedrock:getFoundationModel", "bedrock:getGuardrail", "bedrock:getImportedModel", "bedrock:getInferenceProfile", "bedrock:getIngestionJob", "bedrock:getKnowledgeBase", "bedrock:getMarketplaceModelEndpoint", "bedrock:getModelCopyJob", "bedrock:getModelCustomizationJob", "bedrock:getModelImportJob", "bedrock:getModelInvocationJob", "bedrock:getModelInvocationLoggingConfiguration", "bedrock:getPrompt", "bedrock:getPromptRouter", "bedrock:getProvisionedModelThroughput", "bedrock:listAgentActionGroups", "bedrock:listAgentAliases", "bedrock:listAgentKnowledgeBases", "bedrock:listAgents", "bedrock:listAgentVersions", "bedrock:listAutomatedReasoningPolicies", "bedrock:listAutomatedReasoningPolicyBuildWorkflows", "bedrock:listAutomatedReasoningPolicyTestCases", "bedrock:listAutomatedReasoningPolicyTestResults", "bedrock:listCustomModels", "bedrock:listDataSources", "bedrock:listEvaluationJobs", "bedrock:exportAutomatedReasoningPolicyVersion", "bedrock:listFlowAliases", "bedrock:listFlows", "bedrock:listFlowVersions", "bedrock:listFoundationModels", "bedrock:listGuardrails", "bedrock:listImportedModels", "bedrock:listInferenceProfiles", "bedrock:listIngestionJobs", "bedrock:listKnowledgeBases", "bedrock:listMarketplaceModelEndpoints", "bedrock:listModelCopyJobs", "bedrock:listModelCustomizationJobs", "bedrock:listModelImportJobs", "bedrock:listModelInvocationJobs", "bedrock:listPromptRouters", "bedrock:listPrompts", "bedrock:listProvisionedModelThroughputs", "braket:getDevice", "braket:getJob", "braket:getQuantumTask", "braket:getServiceLinkedRoleStatus", "braket:getUserAgreementStatus", "braket:searchDevices", "braket:searchJobs", "braket:searchQuantumTasks", "braket:searchSpendingLimits", "budgets:viewBudget", "ce:getCostAndUsage", "ce:getCostAndUsageWithResources", "ce:getCostForecast", "ce:getDimensionValues", "ce:getReservationCoverage", "ce:getReservationPurchaseRecommendation", "ce:getReservationUtilization", "ce:getRightsizingRecommendation", "ce:getSavingsPlansCoverage", "ce:getSavingsPlansPurchaseRecommendation", "ce:getSavingsPlansUtilization", "ce:getSavingsPlansUtilizationDetails", "ce:getTags", "chime:describeAppInstance", "chime:getAttendee", "chime:getGlobalSettings", "chime:getMediaCapturePipeline", "chime:getMediaPipeline", "chime:getMeeting", "chime:getProxySession", "chime:getSipMediaApplication", "chime:getSipRule", "chime:getVoiceConnector", "chime:getVoiceConnectorGroup", "chime:getVoiceConnectorLoggingConfiguration", "chime:listAppInstances", "chime:listAttendees", "chime:listChannelBans", "chime:listChannels", "chime:listChannelsModeratedByAppInstanceUser", "chime:listMediaCapturePipelines", "chime:listMediaPipelines", "chime:listMeetings", "chime:listSipMediaApplications", "chime:listSipRules", "chime:listVoiceConnectorGroups", "chime:listVoiceConnectors", "cleanrooms:batchGetCollaborationAnalysisTemplate", "cleanrooms:batchGetSchema", "cleanrooms:getAnalysisTemplate", "cleanrooms:getCollaboration", "cleanrooms:getCollaborationAnalysisTemplate", "cleanrooms:getCollaborationConfiguredAudienceModelAssociation", "cleanrooms:getCollaborationPrivacyBudgetTemplate", "cleanrooms:getConfiguredTable", "cleanrooms:getConfiguredTableAnalysisRule", "cleanrooms:getConfiguredTableAssociation", "cleanrooms:getConfiguredAudienceModelAssociation", "cleanrooms:getMembership", "cleanrooms:getPrivacyBudgetTemplate", "cleanrooms:getSchema", "cleanrooms:getSchemaAnalysisRule", "cleanrooms:listAnalysisTemplates", "cleanrooms:listCollaborationAnalysisTemplates", "cleanrooms:listCollaborationConfiguredAudienceModelAssociations", "cleanrooms:listCollaborationPrivacyBudgetTemplates", "cleanrooms:listCollaborationPrivacyBudgets", "cleanrooms:listCollaborations", "cleanrooms:listConfiguredAudienceModelAssociations", "cleanrooms:listConfiguredTableAssociations", "cleanrooms:listConfiguredTables", "cleanrooms:listMembers", "cleanrooms:listMemberships", "cleanrooms:listPrivacyBudgetTemplates", "cleanrooms:listPrivacyBudgets", "cleanrooms:listProtectedQueries", "cleanrooms:listSchemas", "cleanrooms:previewPrivacyImpact", "cloud9:describeEnvironmentMemberships", "cloud9:describeEnvironments", "cloud9:listEnvironments", "clouddirectory:getDirectory", "clouddirectory:listDirectories", "cloudformation:batchDescribeTypeConfigurations", "cloudformation:describeAccountLimits", "cloudformation:describeChangeSet", "cloudformation:describeChangeSetHooks", "cloudformation:describePublisher", "cloudformation:describeStackDriftDetectionStatus", "cloudformation:describeStackEvents", "cloudformation:describeStackInstance", "cloudformation:describeStackResource", "cloudformation:describeStackResourceDrifts", "cloudformation:describeStackResources", "cloudformation:describeStacks", "cloudformation:describeStackSet", "cloudformation:describeStackSetOperation", "cloudformation:describeType", "cloudformation:describeTypeRegistration", "cloudformation:estimateTemplateCost", "cloudformation:getResource", "cloudformation:getStackPolicy", "cloudformation:getTemplate", "cloudformation:getTemplateSummary", "cloudformation:listChangeSets", "cloudformation:listExports", "cloudformation:listImports", "cloudformation:listResources", "cloudformation:listStackInstances", "cloudformation:listStackResources", "cloudformation:listStacks", "cloudformation:listStackSetOperationResults", "cloudformation:listStackSetOperations", "cloudformation:listStackSets", "cloudformation:listTypeRegistrations", "cloudformation:listTypes", "cloudformation:listTypeVersions", "cloudfront:describeFunction", "cloudfront:describeKeyValueStore", "cloudfront:getAnycastIpList", "cloudfront:getCachePolicy", "cloudfront:getCachePolicyConfig", "cloudfront:getCloudFrontOriginAccessIdentity", "cloudfront:getCloudFrontOriginAccessIdentityConfig", "cloudfront:getContinuousDeploymentPolicy", "cloudfront:getContinuousDeploymentPolicyConfig", "cloudfront:getDistribution", "cloudfront:getDistributionConfig", "cloudfront:getInvalidation", "cloudfront:getKeyGroup", "cloudfront:getKeyGroupConfig", "cloudfront:getMonitoringSubscription", "cloudfront:getOriginAccessControl", "cloudfront:getOriginAccessControlConfig", "cloudfront:getOriginRequestPolicy", "cloudfront:getOriginRequestPolicyConfig", "cloudfront:getPublicKey", "cloudfront:getPublicKeyConfig", "cloudfront:getRealtimeLogConfig", "cloudfront:getResponseHeadersPolicy", "cloudfront:getResponseHeadersPolicyConfig", "cloudfront:getStreamingDistribution", "cloudfront:getStreamingDistributionConfig", "cloudfront:getVpcOrigin", "cloudfront:listAnycastIpLists", "cloudfront:listCachePolicies", "cloudfront:listCloudFrontOriginAccessIdentities", "cloudfront:listConflictingAliases", "cloudfront:listContinuousDeploymentPolicies", "cloudfront:listDistributions", "cloudfront:listDistributionsByAnycastIpListId", "cloudfront:listDistributionsByCachePolicyId", "cloudfront:listDistributionsByKeyGroup", "cloudfront:listDistributionsByOriginRequestPolicyId", "cloudfront:listDistributionsByRealtimeLogConfig", "cloudfront:listDistributionsByResponseHeadersPolicyId", "cloudfront:listDistributionsByVpcOriginId", "cloudfront:listDistributionsByWebACLId", "cloudfront:listFunctions", "cloudfront:listInvalidations", "cloudfront:listKeyGroups", "cloudfront:listKeyValueStores", "cloudfront:listOriginAccessControls", "cloudfront:listOriginRequestPolicies", "cloudfront:listPublicKeys", "cloudfront:listRealtimeLogConfigs", "cloudfront:listResponseHeadersPolicies", "cloudfront:listStreamingDistributions", "cloudfront:listVpcOrigins", "cloudhsm:describeBackups", "cloudhsm:describeClusters", "cloudsearch:describeAnalysisSchemes", "cloudsearch:describeAvailabilityOptions", "cloudsearch:describeDomains", "cloudsearch:describeExpressions", "cloudsearch:describeIndexFields", "cloudsearch:describeScalingParameters", "cloudsearch:describeServiceAccessPolicies", "cloudsearch:describeSuggesters", "cloudsearch:listDomainNames", "cloudtrail:describeTrails", "cloudtrail:getEventSelectors", "cloudtrail:getInsightSelectors", "cloudtrail:getTrail", "cloudtrail:getTrailStatus", "cloudtrail:listPublicKeys", "cloudtrail:listTags", "cloudtrail:listTrails", "cloudtrail:lookupEvents", "cloudwatch:describeAlarmHistory", "cloudwatch:describeAlarms", "cloudwatch:describeAlarmsForMetric", "cloudwatch:describeAnomalyDetectors", "cloudwatch:describeInsightRules", "cloudwatch:getDashboard", "cloudwatch:getInsightRuleReport", "cloudwatch:getMetricData", "cloudwatch:getMetricStatistics", "cloudwatch:getMetricStream", "cloudWatch:getMetricWidgetImage", "cloudwatch:listDashboards", "cloudwatch:listManagedInsightRules", "cloudwatch:listMetrics", "cloudwatch:listMetricStreams", "codeartifact:describeDomain", "codeartifact:describePackageVersion", "codeartifact:describeRepository", "codeartifact:getDomainPermissionsPolicy", "codeartifact:getRepositoryEndpoint", "codeartifact:getRepositoryPermissionsPolicy", "codeartifact:listDomains", "codeartifact:listPackages", "codeartifact:listPackageVersionAssets", "codeartifact:listPackageVersions", "codeartifact:listRepositories", "codeartifact:listRepositoriesInDomain", "codebuild:batchGetBuildBatches", "codebuild:batchGetBuilds", "codebuild:batchGetFleets", "codebuild:batchGetProjects", "codebuild:listBuildBatches", "codebuild:listBuildBatchesForProject", "codebuild:listBuilds", "codebuild:listBuildsForProject", "codebuild:listCuratedEnvironmentImages", "codebuild:listFleets", "codebuild:listProjects", "codebuild:listSourceCredentials", "codecommit:batchGetRepositories", "codecommit:getBranch", "codecommit:getRepository", "codecommit:getRepositoryTriggers", "codecommit:listBranches", "codecommit:listRepositories", "codeconnections:getConnection", "codeconnections:getHost", "codeconnections:getRepositoryLink", "codeconnections:getRepositorySyncStatus", "codeconnections:getResourceSyncStatus", "codeconnections:getSyncBlockerSummary", "codeconnections:getSyncConfiguration", "codeconnections:listConnections", "codeconnections:listHosts", "codeconnections:listRepositoryLinks", "codeconnections:listRepositorySyncDefinitions", "codeconnections:listSyncConfigurations", "codedeploy:batchGetApplicationRevisions", "codedeploy:batchGetApplications", "codedeploy:batchGetDeploymentGroups", "codedeploy:batchGetDeploymentInstances", "codedeploy:batchGetDeployments", "codedeploy:batchGetDeploymentTargets", "codedeploy:batchGetOnPremisesInstances", "codedeploy:getApplication", "codedeploy:getApplicationRevision", "codedeploy:getDeployment", "codedeploy:getDeploymentConfig", "codedeploy:getDeploymentGroup", "codedeploy:getDeploymentInstance", "codedeploy:getDeploymentTarget", "codedeploy:getOnPremisesInstance", "codedeploy:listApplicationRevisions", "codedeploy:listApplications", "codedeploy:listDeploymentConfigs", "codedeploy:listDeploymentGroups", "codedeploy:listDeploymentInstances", "codedeploy:listDeployments", "codedeploy:listDeploymentTargets", "codedeploy:listGitHubAccountTokenNames", "codedeploy:listOnPremisesInstances", "codepipeline:getJobDetails", "codepipeline:getPipeline", "codepipeline:getPipelineExecution", "codepipeline:getPipelineState", "codepipeline:listActionExecutions", "codepipeline:listActionTypes", "codepipeline:listPipelineExecutions", "codepipeline:listPipelines", "codepipeline:listRuleExecutions", "codepipeline:listWebhooks", "codestar-connections:getConnection", "codestar-connections:getHost", "codestar-connections:listConnections", "codestar-connections:listHosts", "codestar:describeProject", "codestar:listProjects", "codestar:listResources", "codestar:listTeamMembers", "codestar:listUserProfiles", "cognito-identity:describeIdentity", "cognito-identity:describeIdentityPool", "cognito-identity:getIdentityPoolAnalytics", "cognito-identity:getIdentityPoolDailyAnalytics", "cognito-identity:getIdentityPoolRoles", "cognito-identity:getIdentityProviderDailyAnalytics", "cognito-identity:listIdentities", "cognito-identity:listIdentityPools", "cognito-identity:lookupDeveloperIdentity", "cognito-idp:describeIdentityProvider", "cognito-idp:describeResourceServer", "cognito-idp:describeRiskConfiguration", "cognito-idp:describeUserImportJob", "cognito-idp:describeUserPool", "cognito-idp:describeUserPoolClient", "cognito-idp:describeUserPoolDomain", "cognito-idp:getCSVHeader", "cognito-idp:getGroup", "cognito-idp:getLogDeliveryConfiguration", "cognito-idp:getUICustomization", "cognito-idp:getUserPoolMfaConfig", "cognito-idp:listGroups", "cognito-idp:listIdentityProviders", "cognito-idp:listResourceServers", "cognito-idp:listUserImportJobs", "cognito-idp:listUserPoolClients", "cognito-idp:listUserPools", "cognito-sync:describeDataset", "cognito-sync:describeIdentityPoolUsage", "cognito-sync:describeIdentityUsage", "cognito-sync:getCognitoEvents", "cognito-sync:getIdentityPoolConfiguration", "cognito-sync:listDatasets", "cognito-sync:listIdentityPoolUsage", "comprehend:describeDocumentClassificationJob", "comprehend:describeDocumentClassifier", "comprehend:describeDominantLanguageDetectionJob", "comprehend:describeEndpoint", "comprehend:describeEntitiesDetectionJob", "comprehend:describeEntityRecognizer", "comprehend:describeEventsDetectionJob", "comprehend:describeFlywheel", "comprehend:describeFlywheelIteration", "comprehend:describeKeyPhrasesDetectionJob", "comprehend:describePiiEntitiesDetectionJob", "comprehend:describeSentimentDetectionJob", "comprehend:describeTargetedSentimentDetectionJob", "comprehend:describeTopicsDetectionJob", "comprehend:listDocumentClassificationJobs", "comprehend:listDocumentClassifiers", "comprehend:listDominantLanguageDetectionJobs", "comprehend:listEndpoints", "comprehend:listEntitiesDetectionJobs", "comprehend:listEntityRecognizers", "comprehend:listEventsDetectionJobs", "comprehend:listFlywheelIterationHistory", "comprehend:listFlywheels", "comprehend:listKeyPhrasesDetectionJobs", "comprehend:listPiiEntitiesDetectionJobs", "comprehend:listSentimentDetectionJobs", "comprehend:listTargetedSentimentDetectionJobs", "comprehend:listTopicsDetectionJobs", "compute-optimizer:getAutoScalingGroupRecommendations", "compute-optimizer:getEBSVolumeRecommendations", "compute-optimizer:getEC2InstanceRecommendations", "compute-optimizer:getEC2RecommendationProjectedMetrics", "compute-optimizer:getECSServiceRecommendationProjectedMetrics", "compute-optimizer:getECSServiceRecommendations", "compute-optimizer:getEnrollmentStatus", "compute-optimizer:getIdleRecommendations", "compute-optimizer:getRDSDatabaseRecommendationProjectedMetrics", "compute-optimizer:getRDSDatabaseRecommendations", "compute-optimizer:getRecommendationSummaries", "config:batchGetAggregateResourceConfig", "config:batchGetResourceConfig", "config:describeAggregateComplianceByConfigRules", "config:describeAggregationAuthorizations", "config:describeComplianceByConfigRule", "config:describeComplianceByResource", "config:describeConfigRuleEvaluationStatus", "config:describeConfigRules", "config:describeConfigurationAggregators", "config:describeConfigurationAggregatorSourcesStatus", "config:describeConfigurationRecorders", "config:describeConfigurationRecorderStatus", "config:describeConformancePackCompliance", "config:describeConformancePacks", "config:describeConformancePackStatus", "config:describeDeliveryChannels", "config:describeDeliveryChannelStatus", "config:describeOrganizationConfigRules", "config:describeOrganizationConfigRuleStatuses", "config:describeOrganizationConformancePacks", "config:describeOrganizationConformancePackStatuses", "config:describePendingAggregationRequests", "config:describeRemediationConfigurations", "config:describeRemediationExceptions", "config:describeRemediationExecutionStatus", "config:describeRetentionConfigurations", "config:getAggregateComplianceDetailsByConfigRule", "config:getAggregateConfigRuleComplianceSummary", "config:getAggregateDiscoveredResourceCounts", "config:getAggregateResourceConfig", "config:getComplianceDetailsByConfigRule", "config:getComplianceDetailsByResource", "config:getComplianceSummaryByConfigRule", "config:getComplianceSummaryByResourceType", "config:getConformancePackComplianceDetails", "config:getConformancePackComplianceSummary", "config:getDiscoveredResourceCounts", "config:getOrganizationConfigRuleDetailedStatus", "config:getOrganizationConformancePackDetailedStatus", "config:getResourceConfigHistory", "config:listAggregateDiscoveredResources", "config:listDiscoveredResources", "config:listTagsForResource", "config:selectAggregateResourceConfig", "config:selectResourceConfig", "connect:batchGetFlowAssociation", "connect:describeContact", "connect:describeContactFlow", "connect:describeInstance", "connect:describeInstanceAttribute", "connect:describePhoneNumber", "connect:describeQueue", "connect:describeQuickConnect", "connect:describeRoutingProfile", "connect:describeUser", "connect:describeUserHierarchyStructure", "connect:getCurrentMetricData", "connect:getMetricData", "connect:getMetricDataV2", "connect:listContactEvaluations", "connect:listEvaluationForms", "connect:listEvaluationFormVersions", "connect:listInstanceAttributes", "connect:listPhoneNumbersV2", "connect:listQueueQuickConnects", "connect:listQueues", "connect:listQuickConnects", "connect:listRoutingProfileQueues", "connect:listRoutingProfiles", "connect:listSecurityProfiles", "connect:listSecurityProfilePermissions", "connect:listUsers", "connect:listViews", "connect:listViewVersions", "connect:searchQueues", "connect:searchRoutingProfiles", "connect:searchUsers", "controltower:describeAccountFactoryConfig", "controltower:describeCoreService", "controltower:describeGuardrail", "controltower:describeGuardrailForTarget", "controltower:describeManagedAccount", "controltower:describeSingleSignOn", "controltower:getAvailableUpdates", "controltower:getHomeRegion", "controltower:getLandingZone", "controltower:getLandingZoneStatus", "controltower:listDirectoryGroups", "controltower:listEnabledControls", "controltower:listGuardrailsForTarget", "controltower:listGuardrailViolations", "controltower:listLandingZones", "controltower:listManagedAccounts", "controltower:listManagedAccountsForGuardrail", "controltower:listManagedAccountsForParent", "controltower:listManagedOrganizationalUnits", "controltower:listManagedOrganizationalUnitsForGuardrail", "cost-optimization-hub:getPreferences", "cost-optimization-hub:getRecommendation", "cost-optimization-hub:listEnrollmentStatuses", "cost-optimization-hub:listRecommendations", "cost-optimization-hub:listRecommendationSummaries", "databrew:describeDataset", "databrew:describeJob", "databrew:describeProject", "databrew:describeRecipe", "databrew:listDatasets", "databrew:listJobRuns", "databrew:listJobs", "databrew:listProjects", "databrew:listRecipes", "databrew:listRecipeVersions", "databrew:listTagsForResource", "datapipeline:describeObjects", "datapipeline:describePipelines", "datapipeline:getPipelineDefinition", "datapipeline:listPipelines", "datapipeline:queryObjects", "datasync:describeAgent", "datasync:describeLocationAzureBlob", "datasync:describeLocationEfs", "datasync:describeLocationFsxLustre", "datasync:describeLocationFsxOntap", "datasync:describeLocationFsxOpenZfs", "datasync:describeLocationFsxWindows", "datasync:describeLocationHdfs", "datasync:describeLocationNfs", "datasync:describeLocationObjectStorage", "datasync:describeLocationS3", "datasync:describeLocationSmb", "datasync:describeTask", "datasync:describeTaskExecution", "datasync:listAgents", "datasync:listLocations", "datasync:listTaskExecutions", "datasync:listTasks", "datazone:getAsset", "datazone:getAssetType", "datazone:getDataSource", "datazone:getDataSourceRun", "datazone:getDomain", "datazone:getEnvironment", "datazone:getEnvironmentBlueprint", "datazone:getEnvironmentBlueprintConfiguration", "datazone:getEnvironmentProfile", "datazone:getFormType", "datazone:getGlossary", "datazone:getGlossaryTerm", "datazone:getGroupProfile", "datazone:getListing", "datazone:getMetadataGenerationRun", "datazone:getProject", "datazone:getSubscription", "datazone:getSubscriptionGrant", "datazone:getSubscriptionRequestDetails", "datazone:getSubscriptionTarget", "datazone:getUserProfile", "datazone:listAssetRevisions", "datazone:listDataSourceRunActivities", "datazone:listDataSourceRuns", "datazone:listDataSources", "datazone:listDomains", "datazone:listEnvironmentBlueprintConfigurations", "datazone:listEnvironmentBlueprints", "datazone:listEnvironmentProfiles", "datazone:listEnvironments", "datazone:listMetadataGenerationRuns", "datazone:listProjectMemberships", "datazone:listProjects", "datazone:listSubscriptionGrants", "datazone:listSubscriptionRequests", "datazone:listSubscriptions", "datazone:listSubscriptionTargets", "datazone:searchGroupProfiles", "datazone:searchUserProfiles", "dax:describeClusters", "dax:describeDefaultParameters", "dax:describeEvents", "dax:describeParameterGroups", "dax:describeParameters", "dax:describeSubnetGroups", "deadline:listAvailableMeteredProducts", "deadline:listBudgets", "deadline:listFarmMembers", "deadline:listFarms", "deadline:listFleetMembers", "deadline:listFleets", "deadline:listJobMembers", "deadline:listJobs", "deadline:listLicenseEndpoints", "deadline:listMeteredProducts", "deadline:listMonitors", "deadline:listQueueEnvironments", "deadline:listQueueFleetAssociations", "deadline:listQueueMembers", "deadline:listQueues", "deadline:listStorageProfiles", "deadline:listWorkers", "detective:getMembers", "detective:listGraphs", "detective:listInvitations", "detective:listMembers", "devicefarm:getAccountSettings", "devicefarm:getDevice", "devicefarm:getDevicePool", "devicefarm:getDevicePoolCompatibility", "devicefarm:getJob", "devicefarm:getProject", "devicefarm:getRemoteAccessSession", "devicefarm:getRun", "devicefarm:getSuite", "devicefarm:getTest", "devicefarm:getTestGridProject", "devicefarm:getTestGridSession", "devicefarm:getUpload", "devicefarm:listArtifacts", "devicefarm:listDevicePools", "devicefarm:listDevices", "devicefarm:listJobs", "devicefarm:listProjects", "devicefarm:listRemoteAccessSessions", "devicefarm:listRuns", "devicefarm:listSamples", "devicefarm:listSuites", "devicefarm:listTestGridProjects", "devicefarm:listTestGridSessionActions", "devicefarm:listTestGridSessionArtifacts", "devicefarm:listTestGridSessions", "devicefarm:listTests", "devicefarm:listUniqueProblems", "devicefarm:listUploads", "directconnect:describeConnectionLoa", "directconnect:describeConnections", "directconnect:describeConnectionsOnInterconnect", "directconnect:describeCustomerMetadata", "directconnect:describeDirectConnectGatewayAssociationProposals", "directconnect:describeDirectConnectGatewayAssociations", "directconnect:describeDirectConnectGatewayAttachments", "directconnect:describeDirectConnectGateways", "directconnect:describeHostedConnections", "directconnect:describeInterconnectLoa", "directconnect:describeInterconnects", "directconnect:describeLags", "directconnect:describeLoa", "directconnect:describeLocations", "directconnect:describeRouterConfiguration", "directconnect:describeVirtualGateways", "directconnect:describeVirtualInterfaces", "directconnect:listVirtualInterfaceTestHistory", "dlm:getLifecyclePolicies", "dlm:getLifecyclePolicy", "dms:describeAccountAttributes", "dms:describeApplicableIndividualAssessments", "dms:describeConnections", "dms:describeEndpoints", "dms:describeEndpointSettings", "dms:describeEndpointTypes", "dms:describeEventCategories", "dms:describeEvents", "dms:describeEventSubscriptions", "dms:describeFleetAdvisorCollectors", "dms:describeFleetAdvisorDatabases", "dms:describeFleetAdvisorLsaAnalysis", "dms:describeFleetAdvisorSchemaObjectSummary", "dms:describeFleetAdvisorSchemas", "dms:describeOrderableReplicationInstances", "dms:describePendingMaintenanceActions", "dms:describeRefreshSchemasStatus", "dms:describeReplicationInstances", "dms:describeReplicationInstanceTaskLogs", "dms:describeReplicationSubnetGroups", "dms:describeReplicationTaskAssessmentResults", "dms:describeReplicationTaskAssessmentRuns", "dms:describeReplicationTaskIndividualAssessments", "dms:describeReplicationTasks", "dms:describeSchemas", "dms:describeTableStatistics", "docdb-elastic:getCluster", "docdb-elastic:getClusterSnapshot", "docdb-elastic:listClusters", "docdb-elastic:listClusterSnapshots", "drs:describeJobLogItems", "drs:describeJobs", "drs:describeLaunchConfigurationTemplates", "drs:describeRecoveryInstances", "drs:describeRecoverySnapshots", "drs:describeReplicationConfigurationTemplates", "drs:describeSourceNetworks", "drs:describeSourceServers", "drs:getLaunchConfiguration", "drs:getReplicationConfiguration", "drs:listExtensibleSourceServers", "drs:listLaunchActions", "drs:listStagingAccounts", "ds:describeClientAuthenticationSettings", "ds:describeConditionalForwarders", "ds:describeDirectories", "ds:describeDomainControllers", "ds:describeEventTopics", "ds:describeHybridADUpdate", "ds:describeLDAPSSettings", "ds:describeSharedDirectories", "ds:describeSnapshots", "ds:describeTrusts", "ds:getDirectoryLimits", "ds:getSnapshotLimits", "ds:listIpRoutes", "ds:listSchemaExtensions", "ds:listTagsForResource", "dsql:getCluster", "dsql:getVpcEndpointServiceName", "dsql:listClusters", "dynamodb:describeBackup", "dynamodb:describeContinuousBackups", "dynamodb:describeContributorInsights", "dynamodb:describeExport", "dynamodb:describeGlobalTable", "dynamodb:describeGlobalTableSettings", "dynamodb:describeImport", "dynamodb:describeKinesisStreamingDestination", "dynamodb:describeLimits", "dynamodb:describeStream", "dynamodb:describeTable", "dynamodb:describeTableReplicaAutoScaling", "dynamodb:describeTimeToLive", "dynamodb:getResourcePolicy", "dynamodb:listBackups", "dynamodb:listContributorInsights", "dynamodb:listExports", "dynamodb:listGlobalTables", "dynamodb:listImports", "dynamodb:listStreams", "dynamodb:listTables", "dynamodb:listTagsOfResource", "ebs:listChangedBlocks", "ebs:listSnapshotBlocks", "ec2:describeAccountAttributes", "ec2:describeAddresses", "ec2:describeAddressesAttribute", "ec2:describeAddressTransfers", "ec2:describeAggregateIdFormat", "ec2:describeAvailabilityZones", "ec2:describeBundleTasks", "ec2:describeByoipCidrs", "ec2:describeCapacityBlockOfferings", "ec2:describeCapacityManagerDataExports", "ec2:describeCapacityReservationFleets", "ec2:describeCapacityReservations", "ec2:describeCarrierGateways", "ec2:describeClassicLinkInstances", "ec2:describeClientVpnAuthorizationRules", "ec2:describeClientVpnConnections", "ec2:describeClientVpnEndpoints", "ec2:describeClientVpnRoutes", "ec2:describeClientVpnTargetNetworks", "ec2:describeCoipPools", "ec2:describeConversionTasks", "ec2:describeCustomerGateways", "ec2:describeDhcpOptions", "ec2:describeEgressOnlyInternetGateways", "ec2:describeExportImageTasks", "ec2:describeExportTasks", "ec2:describeFastLaunchImages", "ec2:describeFastSnapshotRestores", "ec2:describeFleetHistory", "ec2:describeFleetInstances", "ec2:describeFleets", "ec2:describeFlowLogs", "ec2:describeFpgaImageAttribute", "ec2:describeFpgaImages", "ec2:describeHostReservationOfferings", "ec2:describeHostReservations", "ec2:describeHosts", "ec2:describeIamInstanceProfileAssociations", "ec2:describeIdentityIdFormat", "ec2:describeIdFormat", "ec2:describeImageAttribute", "ec2:describeImages", "ec2:describeImportImageTasks", "ec2:describeImportSnapshotTasks", "ec2:describeInstanceAttribute", "ec2:describeInstanceConnectEndpoints", "ec2:describeInstanceCreditSpecifications", "ec2:describeInstanceEventNotificationAttributes", "ec2:describeInstanceEventWindows", "ec2:describeInstances", "ec2:describeInstanceStatus", "ec2:describeInstanceTypeOfferings", "ec2:describeInstanceTypes", "ec2:describeInternetGateways", "ec2:describeIpamByoasn", "ec2:describeIpamExternalResourceVerificationTokens", "ec2:describeIpamPools", "ec2:describeIpamResourceDiscoveries", "ec2:describeIpamResourceDiscoveryAssociations", "ec2:describeIpams", "ec2:describeIpamScopes", "ec2:describeIpv6Pools", "ec2:describeKeyPairs", "ec2:describeLaunchTemplates", "ec2:describeLaunchTemplateVersions", "ec2:describeLocalGatewayRouteTables", "ec2:describeLocalGatewayRouteTableVirtualInterfaceGroupAssociations", "ec2:describeLocalGatewayRouteTableVpcAssociations", "ec2:describeLocalGateways", "ec2:describeLocalGatewayVirtualInterfaceGroups", "ec2:describeLocalGatewayVirtualInterfaces", "ec2:describeManagedPrefixLists", "ec2:describeMovingAddresses", "ec2:describeNatGateways", "ec2:describeNetworkAcls", "ec2:describeNetworkInsightsAccessScopeAnalyses", "ec2:describeNetworkInsightsAccessScopes", "ec2:describeNetworkInsightsAnalyses", "ec2:describeNetworkInsightsPaths", "ec2:describeNetworkInterfaceAttribute", "ec2:describeNetworkInterfaces", "ec2:describeOutpostLags", "ec2:describePlacementGroups", "ec2:describePrefixLists", "ec2:describePrincipalIdFormat", "ec2:describePublicIpv4Pools", "ec2:describeRegions", "ec2:describeReplaceRootVolumeTasks", "ec2:describeReservedInstances", "ec2:describeReservedInstancesListings", "ec2:describeReservedInstancesModifications", "ec2:describeReservedInstancesOfferings", "ec2:describeRouteServerEndpoints", "ec2:describeRouteServerPeers", "ec2:describeRouteServers", "ec2:describeRouteTables", "ec2:describeScheduledInstanceAvailability", "ec2:describeScheduledInstances", "ec2:describeSecurityGroupReferences", "ec2:describeSecurityGroupRules", "ec2:describeSecurityGroups", "ec2:describeServiceLinkVirtualInterfaces", "ec2:describeSnapshotAttribute", "ec2:describeSnapshots", "ec2:describeSnapshotTierStatus", "ec2:describeSpotDatafeedSubscription", "ec2:describeSpotFleetInstances", "ec2:describeSpotFleetRequestHistory", "ec2:describeSpotFleetRequests", "ec2:describeSpotInstanceRequests", "ec2:describeSpotPriceHistory", "ec2:describeStaleSecurityGroups", "ec2:describeStoreImageTasks", "ec2:describeSubnets", "ec2:describeTags", "ec2:describeTrafficMirrorFilterRules", "ec2:describeTrafficMirrorFilters", "ec2:describeTrafficMirrorSessions", "ec2:describeTrafficMirrorTargets", "ec2:describeTransitGatewayAttachments", "ec2:describeTransitGatewayConnectPeers", "ec2:describeTransitGatewayMulticastDomains", "ec2:describeTransitGatewayPeeringAttachments", "ec2:describeTransitGatewayPolicyTables", "ec2:describeTransitGatewayRouteTableAnnouncements", "ec2:describeTransitGatewayRouteTables", "ec2:describeTransitGateways", "ec2:describeTransitGatewayVpcAttachments", "ec2:describeVerifiedAccessEndpoints", "ec2:describeVerifiedAccessGroups", "ec2:describeVerifiedAccessInstanceLoggingConfigurations", "ec2:describeVerifiedAccessInstances", "ec2:describeVerifiedAccessTrustProviders", "ec2:describeVolumeAttribute", "ec2:describeVolumes", "ec2:describeVolumesModifications", "ec2:describeVolumeStatus", "ec2:describeVpcAttribute", "ec2:describeVpcBlockPublicAccessExclusions", "ec2:describeVpcBlockPublicAccessOptions", "ec2:describeVpcClassicLink", "ec2:describeVpcClassicLinkDnsSupport", "ec2:describeVpcEndpointAssociations", "ec2:describeVpcEndpointConnectionNotifications", "ec2:describeVpcEndpointConnections", "ec2:describeVpcEndpoints", "ec2:describeVpcEndpointServiceConfigurations", "ec2:describeVpcEndpointServicePermissions", "ec2:describeVpcEndpointServices", "ec2:describeVpcPeeringConnections", "ec2:describeVpcs", "ec2:describeVpnConnections", "ec2:describeVpnGateways", "ec2:getAssociatedEnclaveCertificateIamRoles", "ec2:getAssociatedIpv6PoolCidrs", "ec2:getCapacityManagerAttributes", "ec2:getCapacityManagerMetricData", "ec2:getCapacityManagerMetricDimensions", "ec2:getCapacityReservationUsage", "ec2:getCoipPoolUsage", "ec2:getConsoleOutput", "ec2:getConsoleScreenshot", "ec2:getDefaultCreditSpecification", "ec2:getEbsDefaultKmsKeyId", "ec2:getEbsEncryptionByDefault", "ec2:getGroupsForCapacityReservation", "ec2:getHostReservationPurchasePreview", "ec2:getImageBlockPublicAccessState", "ec2:getInstanceTypesFromInstanceRequirements", "ec2:getIpamAddressHistory", "ec2:getIpamDiscoveredAccounts", "ec2:getIpamDiscoveredPublicAddresses", "ec2:getIpamDiscoveredResourceCidrs", "ec2:getIpamPoolAllocations", "ec2:getIpamPoolCidrs", "ec2:getIpamResourceCidrs", "ec2:getLaunchTemplateData", "ec2:getManagedPrefixListAssociations", "ec2:getManagedPrefixListEntries", "ec2:getNetworkInsightsAccessScopeContent", "ec2:getReservedInstancesExchangeQuote", "ec2:getRouteServerAssociations", "ec2:getRouteServerPropagations", "ec2:getRouteServerRoutingDatabase", "ec2:getSerialConsoleAccessStatus", "ec2:getSpotPlacementScores", "ec2:getSubnetCidrReservations", "ec2:getTransitGatewayMulticastDomainAssociations", "ec2:getTransitGatewayPrefixListReferences", "ec2:getVerifiedAccessEndpointPolicy", "ec2:getVerifiedAccessGroupPolicy", "ec2:listImagesInRecycleBin", "ec2:listSnapshotsInRecycleBin", "ec2:searchLocalGatewayRoutes", "ec2:searchTransitGatewayMulticastGroups", "ec2:searchTransitGatewayRoutes", "ecr-public:describeImages", "ecr-public:describeImageTags", "ecr-public:describeRegistries", "ecr-public:describeRepositories", "ecr-public:getRegistryCatalogData", "ecr-public:getRepositoryCatalogData", "ecr-public:getRepositoryPolicy", "ecr-public:listTagsForResource", "ecr:batchCheckLayerAvailability", "ecr:batchGetRepositoryScanningConfiguration", "ecr:describeImageReplicationStatus", "ecr:describeImages", "ecr:describeImageScanFindings", "ecr:describePullThroughCacheRules", "ecr:describeRegistry", "ecr:describeRepositories", "ecr:getLifecyclePolicy", "ecr:getLifecyclePolicyPreview", "ecr:getRegistryPolicy", "ecr:getRegistryScanningConfiguration", "ecr:getRepositoryPolicy", "ecr:listImages", "ecr:listTagsForResource", "ecs:describeCapacityProviders", "ecs:describeClusters", "ecs:describeContainerInstances", "ecs:describeServiceDeployments", "ecs:describeServiceRevisions", "ecs:describeServices", "ecs:describeTaskDefinition", "ecs:describeTasks", "ecs:describeTaskSets", "ecs:getTaskProtection", "ecs:listAccountSettings", "ecs:listAttributes", "ecs:listClusters", "ecs:listContainerInstances", "ecs:listServiceDeployments", "ecs:listServices", "ecs:listServicesByNamespace", "ecs:listTagsForResource", "ecs:listTaskDefinitionFamilies", "ecs:listTaskDefinitions", "ecs:listTasks" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "AWSSupportActionsGroup2", "Action": [ "eks:describeAccessEntry", "eks:describeAddon", "eks:describeAddonConfiguration", "eks:describeAddonVersions", "eks:describeCluster", "eks:describeClusterVersions", "eks:describeEksAnywhereSubscription", "eks:describeFargateProfile", "eks:describeIdentityProviderConfig", "eks:describeInsight", "eks:describeNodegroup", "eks:describePodIdentityAssociation", "eks:describeUpdate", "eks:listAccessEntries", "eks:listAccessPolicies", "eks:listAddons", "eks:listAssociatedAccessPolicies", "eks:listClusters", "eks:listEksAnywhereSubscriptions", "eks:listFargateProfiles", "eks:listIdentityProviderConfigs", "eks:listInsights", "eks:listNodegroups", "eks:listPodIdentityAssociations", "eks:listUpdates", "elasticache:describeCacheClusters", "elasticache:describeCacheEngineVersions", "elasticache:describeCacheParameterGroups", "elasticache:describeCacheParameters", "elasticache:describeCacheSecurityGroups", "elasticache:describeCacheSubnetGroups", "elasticache:describeEngineDefaultParameters", "elasticache:describeEvents", "elasticache:describeGlobalReplicationGroups", "elasticache:describeReplicationGroups", "elasticache:describeReservedCacheNodes", "elasticache:describeReservedCacheNodesOfferings", "elasticache:describeServerlessCaches", "elasticache:describeServerlessCacheSnapshots", "elasticache:describeServiceUpdates", "elasticache:describeSnapshots", "elasticache:describeUpdateActions", "elasticache:describeUserGroups", "elasticache:describeUsers", "elasticache:listAllowedNodeTypeModifications", "elasticache:listTagsForResource", "elasticbeanstalk:checkDNSAvailability", "elasticbeanstalk:describeAccountAttributes", "elasticbeanstalk:describeApplications", "elasticbeanstalk:describeApplicationVersions", "elasticbeanstalk:describeConfigurationOptions", "elasticbeanstalk:describeEnvironmentHealth", "elasticbeanstalk:describeEnvironmentManagedActionHistory", "elasticbeanstalk:describeEnvironmentManagedActions", "elasticbeanstalk:describeEnvironmentResources", "elasticbeanstalk:describeEnvironments", "elasticbeanstalk:describeEvents", "elasticbeanstalk:describeInstancesHealth", "elasticbeanstalk:describePlatformVersion", "elasticbeanstalk:listAvailableSolutionStacks", "elasticbeanstalk:listPlatformBranches", "elasticbeanstalk:listPlatformVersions", "elasticbeanstalk:describeConfigurationSettings", "elasticbeanstalk:validateConfigurationSettings", "elasticfilesystem:describeAccessPoints", "elasticfilesystem:describeBackupPolicy", "elasticfilesystem:describeFileSystemPolicy", "elasticfilesystem:describeFileSystems", "elasticfilesystem:describeLifecycleConfiguration", "elasticfilesystem:describeMountTargets", "elasticfilesystem:describeMountTargetSecurityGroups", "elasticfilesystem:describeReplicationConfigurations", "elasticfilesystem:describeTags", "elasticfilesystem:listTagsForResource", "elasticloadbalancing:describeAccountLimits", "elasticloadbalancing:describeInstanceHealth", "elasticloadbalancing:describeListenerCertificates", "elasticloadbalancing:describeListeners", "elasticloadbalancing:describeLoadBalancerAttributes", "elasticloadbalancing:describeLoadBalancerPolicies", "elasticloadbalancing:describeLoadBalancerPolicyTypes", "elasticloadbalancing:describeLoadBalancers", "elasticloadbalancing:describeRules", "elasticloadbalancing:describeSSLPolicies", "elasticloadbalancing:describeTags", "elasticloadbalancing:describeTargetGroupAttributes", "elasticloadbalancing:describeTargetGroups", "elasticloadbalancing:describeTargetHealth", "elasticloadbalancing:describeTrustStoreAssociations", "elasticloadbalancing:describeTrustStoreRevocations", "elasticloadbalancing:describeTrustStores", "elasticmapreduce:describeCluster", "elasticmapreduce:describeNotebookExecution", "elasticmapreduce:describePersistentAppUI", "elasticmapreduce:describeReleaseLabel", "elasticmapreduce:describeSecurityConfiguration", "elasticmapreduce:describeStep", "elasticmapreduce:describeStudio", "elasticmapreduce:getAutoTerminationPolicy", "elasticmapreduce:getBlockPublicAccessConfiguration", "elasticmapreduce:getManagedScalingPolicy", "elasticmapreduce:getStudioSessionMapping", "elasticmapreduce:listBootstrapActions", "elasticmapreduce:listClusters", "elasticmapreduce:listInstanceFleets", "elasticmapreduce:listInstanceGroups", "elasticmapreduce:listInstances", "elasticmapreduce:listNotebookExecutions", "elasticmapreduce:listReleaseLabels", "elasticmapreduce:listSecurityConfigurations", "elasticmapreduce:listSteps", "elasticmapreduce:listStudios", "elasticmapreduce:listStudioSessionMappings", "elasticmapreduce:listSupportedInstanceTypes", "elastictranscoder:listJobsByPipeline", "elastictranscoder:listJobsByStatus", "elastictranscoder:listPipelines", "elastictranscoder:listPresets", "elastictranscoder:readPipeline", "elastictranscoder:readPreset", "emr-containers:describeJobRun", "emr-containers:describeJobTemplate", "emr-containers:describeManagedEndpoint", "emr-containers:describeVirtualCluster", "emr-containers:listJobRuns", "emr-containers:listJobTemplates", "emr-containers:listManagedEndpoints", "emr-containers:listVirtualClusters", "emr-serverless:getApplication", "emr-serverless:getJobRun", "emr-serverless:listApplications", "es:describeDomain", "es:describeDomainAutoTunes", "es:describeDomainChangeProgress", "es:describeDomainConfig", "es:describeDomainHealth", "es:describeDomainNodes", "es:describeDomains", "es:describeDryRunProgress", "es:describeElasticsearchDomain", "es:describeElasticsearchDomainConfig", "es:describeElasticsearchDomains", "es:getDomainMaintenanceStatus", "es:describeInboundConnections", "es:describeInstanceTypeLimits", "es:describeOutboundConnections", "es:describePackages", "es:describeReservedInstanceOfferings", "es:describeReservedInstances", "es:describeVpcEndpoints", "es:getCompatibleVersions", "es:getPackageVersionHistory", "es:getUpgradeHistory", "es:getUpgradeStatus", "es:listDomainMaintenances", "es:listDomainNames", "es:listDomainsForPackage", "es:listInstanceTypeDetails", "es:listPackagesForDomain", "es:listScheduledActions", "es:listTags", "es:listVersions", "es:listVpcEndpointAccess", "es:listVpcEndpoints", "es:listVpcEndpointsForDomain", "events:describeApiDestination", "events:describeArchive", "events:describeConnection", "events:describeEndpoint", "events:describeEventBus", "events:describeEventSource", "events:describePartnerEventSource", "events:describeReplay", "events:describeRule", "events:listApiDestinations", "events:listArchives", "events:listConnections", "events:listEndpoints", "events:listEventBuses", "events:listEventSources", "events:listPartnerEventSourceAccounts", "events:listPartnerEventSources", "events:listReplays", "events:listRuleNamesByTarget", "events:listRules", "events:listTargetsByRule", "events:testEventPattern", "evidently:getExperiment", "evidently:getFeature", "evidently:getLaunch", "evidently:getProject", "evidently:getSegment", "evidently:listExperiments", "evidently:listFeatures", "evidently:listLaunches", "evidently:listProjects", "evidently:listSegmentReferences", "evidently:listSegments", "firehose:describeDeliveryStream", "firehose:listDeliveryStreams", "fis:getAction", "fis:getExperiment", "fis:getExperimentTargetAccountConfiguration", "fis:getExperimentTemplate", "fis:getSafetyLever", "fis:getTargetAccountConfiguration", "fis:listActions", "fis:listExperimentResolvedTargets", "fis:listExperimentTargetAccountConfigurations", "fis:listExperiments", "fis:listExperimentTemplates", "fis:listTargetAccountConfigurations", "fms:getAdminAccount", "fms:getAdminScope", "fms:getAppsList", "fms:getComplianceDetail", "fms:getNotificationChannel", "fms:getProtocolsList", "fms:getPolicy", "fms:getProtectionStatus", "fms:getResourceSet", "fms:getThirdPartyFirewallAssociationStatus", "fms:getViolationDetails", "fms:listAdminAccountsForOrganization", "fms:listAdminsManagingAccount", "fms:listAppsLists", "fms:listComplianceStatus", "fms:listDiscoveredResources", "fms:listMemberAccounts", "fms:listProtocolsLists", "fms:listPolicies", "fms:listResourceSetResources", "fms:listResourceSets", "fms:listThirdPartyFirewallFirewallPolicies", "forecast:describeDataset", "forecast:describeDatasetGroup", "forecast:describeDatasetImportJob", "forecast:describeForecast", "forecast:describeForecastExportJob", "forecast:describePredictor", "forecast:getAccuracyMetrics", "forecast:listDatasetGroups", "forecast:listDatasetImportJobs", "forecast:listDatasets", "forecast:listForecastExportJobs", "forecast:listForecasts", "forecast:listPredictors", "freetier:getFreeTierUsage", "fsx:describeBackups", "fsx:describeDataRepositoryAssociations", "fsx:describeDataRepositoryTasks", "fsx:describeFileCaches", "fsx:describeFileSystems", "fsx:describeS3AccessPointAttachments", "fsx:describeSnapshots", "fsx:describeStorageVirtualMachines", "fsx:describeVolumes", "fsx:listTagsForResource", "gamelift:describeAlias", "gamelift:describeBuild", "gamelift:describeEC2InstanceLimits", "gamelift:describeFleetAttributes", "gamelift:describeFleetCapacity", "gamelift:describeFleetEvents", "gamelift:describeFleetLocationAttributes", "gamelift:describeFleetLocationCapacity", "gamelift:describeFleetLocationUtilization", "gamelift:describeFleetPortSettings", "gamelift:describeFleetUtilization", "gamelift:describeGameServer", "gamelift:describeGameServerGroup", "gamelift:describeGameSessionDetails", "gamelift:describeGameSessionPlacement", "gamelift:describeGameSessionQueues", "gamelift:describeGameSessions", "gamelift:describeInstances", "gamelift:describeMatchmaking", "gamelift:describeMatchmakingConfigurations", "gamelift:describeMatchmakingRuleSets", "gamelift:describePlayerSessions", "gamelift:describeRuntimeConfiguration", "gamelift:describeScalingPolicies", "gamelift:describeScript", "gamelift:listAliases", "gamelift:listBuilds", "gamelift:listFleets", "gamelift:listGameServerGroups", "gamelift:listGameServers", "gamelift:listScripts", "gamelift:resolveAlias", "geo:calculateRoute", "geo:calculateRouteMatrix", "geo:describeMap", "geo:describePlaceIndex", "geo:describeRouteCalculator", "geo:describeTracker", "geo:getMapGlyphs", "geo:getMapSprites", "geo:getMapStyleDescriptor", "geo:getMapTile", "geo:getPlace", "geo:listGeofenceCollections", "geo:listMaps", "geo:listPlaceIndexes", "geo:listRouteCalculators", "geo:listTrackerConsumers", "geo:searchPlaceIndexForPosition", "geo:searchPlaceIndexForSuggestions", "geo:searchPlaceIndexForText", "geo-maps:getStaticMap", "geo-maps:getTile", "geo-places:autocomplete", "geo-places:geocode", "geo-places:getPlace", "geo-places:reverseGeocode", "geo-places:searchNearby", "geo-places:searchText", "geo-places:suggest", "geo-routes:calculateIsolines", "geo-routes:calculateRouteMatrix", "geo-routes:calculateRoutes", "geo-routes:optimizeWaypoints", "geo-routes:snapToRoads", "glacier:describeJob", "glacier:describeVault", "glacier:getDataRetrievalPolicy", "glacier:getVaultAccessPolicy", "glacier:getVaultLock", "glacier:getVaultNotifications", "glacier:listJobs", "glacier:listTagsForVault", "glacier:listVaults", "globalaccelerator:describeAccelerator", "globalaccelerator:describeAcceleratorAttributes", "globalaccelerator:describeCrossAccountAttachment", "globalaccelerator:describeCustomRoutingAccelerator", "globalaccelerator:describeCustomRoutingAcceleratorAttributes", "globalaccelerator:describeCustomRoutingEndpointGroup", "globalaccelerator:describeCustomRoutingListener", "globalaccelerator:describeEndpointGroup", "globalaccelerator:describeListener", "globalaccelerator:listAccelerators", "globalaccelerator:listByoipCidrs", "globalaccelerator:listCrossAccountAttachments", "globalaccelerator:listCrossAccountResourceAccounts", "globalaccelerator:listCrossAccountResources", "globalaccelerator:listCustomRoutingAccelerators", "globalaccelerator:listCustomRoutingEndpointGroups", "globalaccelerator:listCustomRoutingListeners", "globalaccelerator:listCustomRoutingPortMappings", "globalaccelerator:listCustomRoutingPortMappingsByDestination", "globalaccelerator:listEndpointGroups", "globalaccelerator:listListeners", "glue:batchGetBlueprints", "glue:batchGetCrawlers", "glue:batchGetDevEndpoints", "glue:batchGetJobs", "glue:batchGetPartition", "glue:batchGetTriggers", "glue:batchGetWorkflows", "glue:checkSchemaVersionValidity", "glue:batchGetTableOptimizer", "glue:getBlueprint", "glue:getBlueprintRun", "glue:getBlueprintRuns", "glue:getCatalog", "glue:getCatalogImportStatus", "glue:getCatalogs", "glue:getClassifier", "glue:getClassifiers", "glue:getColumnStatisticsForPartition", "glue:getColumnStatisticsForTable", "glue:getColumnStatisticsTaskRun", "glue:getColumnStatisticsTaskRuns", "glue:getCompletion", "glue:getCrawler", "glue:getCrawlerMetrics", "glue:getCrawlers", "glue:getCustomEntityType", "glue:getDatabase", "glue:getDatabases", "glue:getDataCatalogEncryptionSettings", "glue:getDataflowGraph", "glue:getDataQualityResult", "glue:getDataQualityRuleRecommendationRun", "glue:getDataQualityRuleset", "glue:getDataQualityRulesetEvaluationRun", "glue:getDevEndpoint", "glue:getDevEndpoints", "glue:getJob", "glue:getJobBookmark", "glue:getJobRun", "glue:getJobRuns", "glue:getJobs", "glue:getMapping", "glue:getMLTaskRun", "glue:getMLTaskRuns", "glue:getMLTransform", "glue:getMLTransforms", "glue:getPartition", "glue:getPartitionIndexes", "glue:getPartitions", "glue:getRegistry", "glue:getResourcePolicies", "glue:getResourcePolicy", "glue:getSchema", "glue:getSchemaByDefinition", "glue:getSchemaVersion", "glue:getSchemaVersionsDiff", "glue:getSecurityConfiguration", "glue:getSecurityConfigurations", "glue:getSession", "glue:getStatement", "glue:getTable", "glue:getTableOptimizer", "glue:getTableVersion", "glue:getTables", "glue:getTableVersions", "glue:getTrigger", "glue:getTriggers", "glue:getUserDefinedFunction", "glue:getUserDefinedFunctions", "glue:getWorkflow", "glue:getWorkflowRun", "glue:getWorkflowRuns", "glue:listColumnStatisticsTaskRuns", "glue:listCrawlers", "glue:listCrawls", "glue:listDataQualityResults", "glue:listDataQualityRuleRecommendationRuns", "glue:listDataQualityRulesetEvaluationRuns", "glue:listDataQualityRulesets", "glue:listDevEndpoints", "glue:listMLTransforms", "glue:listRegistries", "glue:listSchemas", "glue:listSchemaVersions", "glue:listSessions", "glue:listStatements", "glue:listTableOptimizerRuns", "glue:listTriggers", "glue:querySchemaVersionMetadata", "glue:startCompletion", "grafana:describeWorkspace", "grafana:describeWorkspaceAuthentication", "grafana:listPermissions", "grafana:listVersions", "grafana:listWorkspaces", "greengrass:describeComponent", "greengrass:getComponent", "greengrass:getConnectivityInfo", "greengrass:getCoreDefinition", "greengrass:getCoreDefinitionVersion", "greengrass:getCoreDevice", "greengrass:getDeployment", "greengrass:getDeploymentStatus", "greengrass:getDeviceDefinition", "greengrass:getDeviceDefinitionVersion", "greengrass:getFunctionDefinition", "greengrass:getFunctionDefinitionVersion", "greengrass:getGroup", "greengrass:getGroupCertificateAuthority", "greengrass:getGroupVersion", "greengrass:getLoggerDefinition", "greengrass:getLoggerDefinitionVersion", "greengrass:getResourceDefinitionVersion", "greengrass:getServiceRoleForAccount", "greengrass:getSubscriptionDefinition", "greengrass:getSubscriptionDefinitionVersion", "greengrass:listClientDevicesAssociatedWithCoreDevice", "greengrass:listComponents", "greengrass:listComponentVersions", "greengrass:listCoreDefinitions", "greengrass:listCoreDefinitionVersions", "greengrass:listCoreDevices", "greengrass:listDeployments", "greengrass:listEffectiveDeployments", "greengrass:listInstalledComponents", "greengrass:listDeviceDefinitions", "greengrass:listDeviceDefinitionVersions", "greengrass:listFunctionDefinitions", "greengrass:listFunctionDefinitionVersions", "greengrass:listGroups", "greengrass:listGroupVersions", "greengrass:listLoggerDefinitions", "greengrass:listLoggerDefinitionVersions", "greengrass:listResourceDefinitions", "greengrass:listResourceDefinitionVersions", "greengrass:listSubscriptionDefinitions", "greengrass:listSubscriptionDefinitionVersions", "guardduty:describeMalwareScans", "guardduty:describePublishingDestination", "guardduty:getCoverageStatistics", "guardduty:getDetector", "guardduty:getFilter", "guardduty:getFindings", "guardduty:getFindingsStatistics", "guardduty:getInvitationsCount", "guardduty:getIPSet", "guardduty:getMalwareScanSettings", "guardduty:getMasterAccount", "guardduty:getMemberDetectors", "guardduty:getMembers", "guardduty:getOrganizationStatistics", "guardduty:getRemainingFreeTrialDays", "guardduty:getThreatIntelSet", "guardduty:listCoverage", "guardduty:listDetectors", "guardduty:listFilters", "guardduty:listFindings", "guardduty:listInvitations", "guardduty:listIPSets", "guardduty:listMembers", "guardduty:listThreatIntelSets", "health:describeAffectedAccountsForOrganization", "health:describeAffectedEntities", "health:describeAffectedEntitiesForOrganization", "health:describeEntityAggregates", "health:describeEntityAggregatesForOrganization", "health:describeEventAggregates", "health:describeEventDetails", "health:describeEventDetailsForOrganization", "health:describeEvents", "health:describeEventsForOrganization", "health:describeEventTypes", "health:describeHealthServiceStatusForOrganization", "iam:getAccessKeyLastUsed", "iam:getAccountAuthorizationDetails", "iam:getAccountPasswordPolicy", "iam:getAccountSummary", "iam:getContextKeysForCustomPolicy", "iam:getContextKeysForPrincipalPolicy", "iam:getCredentialReport", "iam:getGroup", "iam:getGroupPolicy", "iam:getInstanceProfile", "iam:getLoginProfile", "iam:getMFADevice", "iam:getOpenIDConnectProvider", "iam:getPolicy", "iam:getPolicyVersion", "iam:getRole", "iam:getRolePolicy", "iam:getSAMLProvider", "iam:getServerCertificate", "iam:getServiceLinkedRoleDeletionStatus", "iam:getSSHPublicKey", "iam:getUser", "iam:getUserPolicy", "iam:listAccessKeys", "iam:listAccountAliases", "iam:listAttachedGroupPolicies", "iam:listAttachedRolePolicies", "iam:listAttachedUserPolicies", "iam:listEntitiesForPolicy", "iam:listGroupPolicies", "iam:listGroups", "iam:listGroupsForUser", "iam:listInstanceProfiles", "iam:listInstanceProfilesForRole", "iam:listMFADevices", "iam:listOpenIDConnectProviders", "iam:listPolicies", "iam:listPolicyVersions", "iam:listRolePolicies", "iam:listRoles", "iam:listSAMLProviders", "iam:listServerCertificates", "iam:listServiceSpecificCredentials", "iam:listSigningCertificates", "iam:listSSHPublicKeys", "iam:listUserPolicies", "iam:listUsers", "iam:listVirtualMFADevices", "iam:simulateCustomPolicy", "iam:simulatePrincipalPolicy", "identitystore:describeGroup", "identitystore:describeGroupMembership", "identitystore:getGroupId", "identitystore:getGroupMembershipId", "identitystore:getUserId", "identitystore:isMemberInGroups", "identitystore:listGroupMemberships", "identitystore:listGroupMembershipsForMember", "identitystore:listGroups", "imagebuilder:getComponent", "imagebuilder:getComponentPolicy", "imagebuilder:getContainerRecipe", "imagebuilder:getContainerRecipePolicy", "imagebuilder:getDistributionConfiguration", "imagebuilder:getImage", "imagebuilder:getImagePipeline", "imagebuilder:getImagePolicy", "imagebuilder:getImageRecipe", "imagebuilder:getImageRecipePolicy", "imagebuilder:getInfrastructureConfiguration", "imagebuilder:getLifecycleExecution", "imagebuilder:getLifecyclePolicy", "imagebuilder:getWorkflow", "imagebuilder:getWorkflowExecution", "imagebuilder:getWorkflowStepExecution", "imagebuilder:listComponentBuildVersions", "imagebuilder:listComponents", "imagebuilder:listContainerRecipes", "imagebuilder:listDistributionConfigurations", "imagebuilder:listImageBuildVersions", "imagebuilder:listImagePipelineImages", "imagebuilder:listImagePipelines", "imagebuilder:listImageRecipes", "imagebuilder:listImages", "imagebuilder:listImageScanFindingAggregations", "imagebuilder:listInfrastructureConfigurations", "imagebuilder:listLifecycleExecutionResources", "imagebuilder:listLifecycleExecutions", "imagebuilder:listLifecyclePolicies", "imagebuilder:listTagsForResource", "imagebuilder:listWorkflowBuildVersions", "imagebuilder:listWorkflowExecutions", "imagebuilder:listWorkflows", "imagebuilder:listWaitingWorkflowSteps", "imagebuilder:listWorkflowStepExecutions", "inspector-scan:scanSbom", "inspector:describeAssessmentRuns", "inspector:describeAssessmentTargets", "inspector:describeAssessmentTemplates", "inspector:describeCrossAccountAccessRole", "inspector:describeResourceGroups", "inspector:describeRulesPackages", "inspector:getTelemetryMetadata", "inspector:listAssessmentRunAgents", "inspector:listAssessmentRuns", "inspector:listAssessmentTargets", "inspector:listAssessmentTemplates", "inspector:listEventSubscriptions", "inspector:listRulesPackages", "inspector:listTagsForResource", "inspector2:batchGetAccountStatus", "inspector2:batchGetFreeTrialInfo", "inspector2:describeOrganizationConfiguration", "inspector2:getConfiguration", "inspector2:getDelegatedAdminAccount", "inspector2:getEc2DeepInspectionConfiguration", "inspector2:getMember", "inspector2:getSbomExport", "inspector2:listCisScanConfigurations", "inspector2:listCisScanResultsAggregatedByChecks", "inspector2:listCisScanResultsAggregatedByTargetResource", "inspector2:listCisScans", "inspector2:listCoverage", "inspector2:listDelegatedAdminAccounts", "inspector2:listFilters", "inspector2:listFindings", "inspector2:listMembers", "inspector2:listUsageTotals", "internetmonitor:getHealthEvent", "internetmonitor:getMonitor", "internetmonitor:listHealthEvents", "internetmonitor:listMonitors", "invoicing:batchGetInvoiceProfile", "invoicing:listInvoiceSummaries", "invoicing:listInvoiceUnits", "iot:describeAuthorizer", "iot:describeCACertificate", "iot:describeCertificate", "iot:describeDefaultAuthorizer", "iot:describeDomainConfiguration", "iot:describeEndpoint", "iot:describeIndex", "iot:describeJobExecution", "iot:describeThing", "iot:describeThingGroup", "iot:describeTunnel", "iot:getEffectivePolicies", "iot:getIndexingConfiguration", "iot:getLoggingOptions", "iot:getPolicy", "iot:getPolicyVersion", "iot:getTopicRule", "iot:getV2LoggingOptions", "iot:listAttachedPolicies", "iot:listAuthorizers", "iot:listCACertificates", "iot:listCertificates", "iot:listCertificatesByCA", "iot:listCommandExecutions", "iot:listCommands", "iot:listDomainConfigurations", "iot:listJobExecutionsForJob", "iot:listJobExecutionsForThing", "iot:listJobs", "iot:listNamedShadowsForThing", "iot:listOutgoingCertificates", "iot:listPackages", "iot:listPackageVersions", "iot:listPolicies", "iot:listPolicyPrincipals", "iot:listPolicyVersions", "iot:listPrincipalPolicies", "iot:listPrincipalThings", "iot:listRoleAliases", "iot:listTargetsForPolicy", "iot:listThingGroups", "iot:listThingGroupsForThing", "iot:listThingPrincipals", "iot:listThingRegistrationTasks", "iot:listThings", "iot:listThingsInThingGroup", "iot:listThingTypes", "iot:listTopicRules", "iot:listTunnels", "iot:listV2LoggingLevels", "iotevents:describeDetector", "iotevents:describeDetectorModel", "iotevents:describeInput", "iotevents:describeLoggingOptions", "iotevents:listDetectorModels", "iotevents:listDetectorModelVersions", "iotevents:listDetectors", "iotevents:listInputs", "iotfleetwise:getCampaign", "iotfleetwise:getDecoderManifest", "iotfleetwise:getEncryptionConfiguration", "iotfleetwise:getFleet", "iotfleetwise:getLoggingOptions", "iotfleetwise:getModelManifest", "iotfleetwise:getRegisterAccountStatus", "iotfleetwise:getSignalCatalog", "iotfleetwise:getStateTemplate", "iotfleetwise:getVehicle", "iotfleetwise:getVehicleStatus", "iotfleetwise:listCampaigns", "iotfleetwise:listDecoderManifestNetworkInterfaces", "iotfleetwise:listDecoderManifests", "iotfleetwise:listDecoderManifestSignals", "iotfleetwise:listFleets", "iotfleetwise:listFleetsForVehicle", "iotfleetwise:listModelManifestNodes", "iotfleetwise:listModelManifests", "iotfleetwise:listSignalCatalogNodes", "iotfleetwise:listSignalCatalogs", "iotfleetwise:listStateTemplates", "iotfleetwise:listVehicles", "iotfleetwise:listVehiclesInFleet", "iotsitewise:describeAccessPolicy", "iotsitewise:describeAsset", "iotsitewise:describeAssetModel", "iotsitewise:describeAssetProperty", "iotsitewise:describeDashboard", "iotsitewise:describeGateway", "iotsitewise:describeGatewayCapabilityConfiguration", "iotsitewise:describeLoggingOptions", "iotsitewise:describePortal", "iotsitewise:describeProject", "iotsitewise:listAccessPolicies", "iotsitewise:listAssetModels", "iotsitewise:listAssets", "iotsitewise:listAssociatedAssets", "iotsitewise:listDashboards", "iotsitewise:listGateways", "iotsitewise:listPortals", "iotsitewise:listProjectAssets", "iotsitewise:listProjects", "iottwinmaker:getComponentType", "iottwinmaker:getEntity", "iottwinmaker:getPricingPlan", "iottwinmaker:getScene", "iottwinmaker:getSyncJob", "iottwinmaker:getWorkspace", "iottwinmaker:listComponentTypes", "iottwinmaker:listEntities", "iottwinmaker:listScenes", "iottwinmaker:listSyncJobs", "iottwinmaker:listSyncResources", "iottwinmaker:listWorkspaces", "iotwireless:getDestination", "iotwireless:getDeviceProfile", "iotwireless:getPartnerAccount", "iotwireless:getServiceEndpoint", "iotwireless:getServiceProfile", "iotwireless:getWirelessDevice", "iotwireless:getWirelessDeviceStatistics", "iotwireless:getWirelessGateway", "iotwireless:getWirelessGatewayCertificate", "iotwireless:getWirelessGatewayFirmwareInformation", "iotwireless:getWirelessGatewayStatistics", "iotwireless:getWirelessGatewayTask", "iotwireless:getWirelessGatewayTaskDefinition", "iotwireless:listDestinations", "iotwireless:listDeviceProfiles", "iotwireless:listPartnerAccounts", "iotwireless:listServiceProfiles", "iotwireless:listTagsForResource", "iotwireless:listWirelessDevices", "iotwireless:listWirelessGateways", "iotwireless:listWirelessGatewayTaskDefinitions", "ivs:getChannel", "ivs:getRecordingConfiguration", "ivs:getStream", "ivs:getStreamSession", "ivs:listChannels", "ivs:listPlaybackKeyPairs", "ivs:listRecordingConfigurations", "ivs:listStreamKeys", "ivs:listStreams", "ivs:listStreamSessions", "kafka:describeCluster", "kafka:describeClusterOperation", "kafka:describeClusterOperationV2", "kafka:describeClusterV2", "kafka:describeConfiguration", "kafka:describeConfigurationRevision", "kafka:describeReplicator", "kafka:describeVpcConnection", "kafka:getBootstrapBrokers", "kafka:getClusterPolicy", "kafka:listClientVpcConnections", "kafka:listClusterOperations", "kafka:listClusterOperationsV2", "kafka:listClusters", "kafka:listClustersV2", "kafka:listConfigurationRevisions", "kafka:listConfigurations", "kafka:listNodes", "kafka:listReplicators", "kafka:listScramSecrets", "kafka:listVpcConnections", "kafkaconnect:describeConnector", "kafkaconnect:describeCustomPlugin", "kafkaconnect:describeWorkerConfiguration", "kafkaconnect:listConnectors", "kafkaconnect:listCustomPlugins", "kafkaconnect:listWorkerConfigurations", "kendra:describeDataSource", "kendra:describeFaq", "kendra:describeIndex", "kendra:listDataSources", "kendra:listFaqs", "kendra:listIndices", "kinesis:describeStream", "kinesis:describeStreamConsumer", "kinesis:describeStreamSummary", "kinesis:listShards", "kinesis:listStreamConsumers", "kinesis:listStreams", "kinesis:listTagsForStream", "kinesisanalytics:describeApplication", "kinesisanalytics:describeApplicationOperation", "kinesisanalytics:describeApplicationSnapshot", "kinesisanalytics:listApplicationOperations", "kinesisanalytics:listApplications", "kinesisanalytics:listApplicationSnapshots", "kinesisanalytics:listApplicationVersions", "kinesisvideo:describeImageGenerationConfiguration", "kinesisvideo:describeEdgeConfiguration", "kinesisvideo:describeMappedResourceConfiguration", "kinesisvideo:describeMediaStorageConfiguration", "kinesisvideo:describeNotificationConfiguration", "kinesisvideo:describeSignalingChannel", "kinesisvideo:describeStream", "kinesisvideo:getDataEndpoint", "kinesisvideo:getIceServerConfig", "kinesisvideo:getSignalingChannelEndpoint", "kinesisvideo:listSignalingChannels", "kinesisvideo:listEdgeAgentConfigurations", "kinesisvideo:listStreams", "kms:describeKey", "kms:getKeyPolicy", "kms:getKeyRotationStatus", "kms:listAliases", "kms:listGrants", "kms:listKeyPolicies", "kms:listKeys", "kms:listResourceTags", "kms:listRetirableGrants", "lakeformation:describeLakeFormationIdentityCenterConfiguration", "lakeformation:describeResource", "lakeformation:describeTransaction", "lakeformation:getDataLakePrincipal", "lakeformation:getDataLakeSettings", "lakeformation:getEffectivePermissionsForPath", "lakeformation:getLFTag", "lakeformation:getLFTagExpression", "lakeformation:getQueryState", "lakeformation:getQueryStatistics", "lakeformation:getResourceLFTags", "lakeformation:listLFTagExpressions", "lakeformation:listLFTags", "lakeformation:listLakeFormationOptIns", "lakeformation:listPermissions", "lakeformation:listResources", "lakeformation:searchDatabasesByLFTags", "lakeformation:searchTablesByLFTags", "lambda:getAccountSettings", "lambda:getAlias", "lambda:getCodeSigningConfig", "lambda:getEventSourceMapping", "lambda:getFunction", "lambda:getFunctionCodeSigningConfig", "lambda:getFunctionConcurrency", "lambda:getFunctionConfiguration", "lambda:getFunctionEventInvokeConfig", "lambda:getFunctionRecursionConfig", "lambda:getFunctionUrlConfig", "lambda:getLayerVersion", "lambda:getLayerVersionPolicy", "lambda:getPolicy", "lambda:getProvisionedConcurrencyConfig", "lambda:getRuntimeManagementConfig", "lambda:listAliases", "lambda:listCodeSigningConfigs", "lambda:listEventSourceMappings", "lambda:listFunctionEventInvokeConfigs", "lambda:listFunctions", "lambda:listFunctionsByCodeSigningConfig", "lambda:listFunctionUrlConfigs", "lambda:listLayers", "lambda:listLayerVersions", "lambda:listProvisionedConcurrencyConfigs", "lambda:listTags", "lambda:listVersionsByFunction", "launchwizard:describeProvisionedApp", "launchwizard:describeProvisioningEvents", "launchwizard:listDeploymentEvents", "launchwizard:listDeployments", "launchwizard:listProvisionedApps", "lex:describeBot", "lex:describeBotAlias", "lex:describeBotLocale", "lex:describeBotRecommendation", "lex:describeBotVersion", "lex:describeCustomVocabularyMetadata", "lex:describeExport", "lex:describeImport", "lex:describeIntent", "lex:describeResourcePolicy", "lex:describeSlot", "lex:describeSlotType", "lex:getBot", "lex:getBotAlias", "lex:getBotAliases", "lex:getBotChannelAssociation", "lex:getBotChannelAssociations", "lex:getBots", "lex:getBotVersions", "lex:getBuiltinIntent", "lex:getBuiltinIntents", "lex:getBuiltinSlotTypes", "lex:getIntent", "lex:getIntents", "lex:getIntentVersions", "lex:getSlotType", "lex:getSlotTypes", "lex:getSlotTypeVersions", "lex:listBotAliases", "lex:listBotLocales", "lex:listBotRecommendations", "lex:listBots", "lex:listBotVersions", "lex:listExports", "lex:listImports", "lex:listIntents", "lex:listRecommendedIntents", "lex:listSlots", "lex:listSlotTypes", "license-manager:getGrant", "license-manager:getLicense", "license-manager:getLicenseConfiguration", "license-manager:getLicenseConversionTask", "license-manager:getLicenseManagerReportGenerator", "license-manager:getLicenseUsage", "license-manager:getServiceSettings", "license-manager:listAssociationsForLicenseConfiguration", "license-manager:listDistributedGrants", "license-manager:listFailuresForLicenseConfigurationOperations", "license-manager:listLicenseConfigurations", "license-manager:listLicenseConversionTasks", "license-manager:listLicenseManagerReportGenerators", "license-manager:listLicenses", "license-manager:listLicenseSpecificationsForResource", "license-manager:listLicenseVersions", "license-manager:listReceivedGrants", "license-manager:listReceivedGrantsForOrganization", "license-manager:listReceivedLicenses", "license-manager:listReceivedLicensesForOrganization", "license-manager:listResourceInventory", "license-manager:listTokens", "license-manager:listUsageForLicenseConfiguration", "license-manager-linux-subscriptions:getRegisteredSubscriptionProvider", "license-manager-linux-subscriptions:getServiceSettings", "license-manager-linux-subscriptions:listLinuxSubscriptionInstances", "license-manager-linux-subscriptions:listLinuxSubscriptions", "license-manager-linux-subscriptions:listRegisteredSubscriptionProviders", "license-manager-user-subscriptions:listIdentityProviders", "license-manager-user-subscriptions:listInstances", "license-manager-user-subscriptions:listLicenseServerEndpoints", "license-manager-user-subscriptions:listProductSubscriptions", "license-manager-user-subscriptions:listUserAssociations", "lightsail:getActiveNames", "lightsail:getAlarms", "lightsail:getAutoSnapshots", "lightsail:getBlueprints", "lightsail:getBucketBundles", "lightsail:getBucketMetricData", "lightsail:getBuckets", "lightsail:getBundles", "lightsail:getCertificates", "lightsail:getContainerImages", "lightsail:getContainerServiceDeployments", "lightsail:getContainerServiceMetricData", "lightsail:getContainerServicePowers", "lightsail:getContainerServices", "lightsail:getDisk", "lightsail:getDisks", "lightsail:getDiskSnapshot", "lightsail:getDiskSnapshots", "lightsail:getDistributionBundles", "lightsail:getDistributionMetricData", "lightsail:getDistributions", "lightsail:getDomain", "lightsail:getDomains", "lightsail:getExportSnapshotRecords", "lightsail:getInstance", "lightsail:getInstanceMetricData", "lightsail:getInstancePortStates", "lightsail:getInstances", "lightsail:getInstanceSnapshot", "lightsail:getInstanceSnapshots", "lightsail:getInstanceState", "lightsail:getKeyPair", "lightsail:getKeyPairs", "lightsail:getLoadBalancer", "lightsail:getLoadBalancerMetricData", "lightsail:getLoadBalancers", "lightsail:getLoadBalancerTlsCertificates", "lightsail:getOperation", "lightsail:getOperations", "lightsail:getOperationsForResource", "lightsail:getRegions", "lightsail:getRelationalDatabase", "lightsail:getRelationalDatabaseMetricData", "lightsail:getRelationalDatabases", "lightsail:getRelationalDatabaseSnapshot", "lightsail:getRelationalDatabaseSnapshots", "lightsail:getStaticIp", "lightsail:getStaticIps", "lightsail:isVpcPeered", "logs:describeAccountPolicies", "logs:describeDeliveries", "logs:describeDeliveryDestinations", "logs:describeDeliverySources", "logs:describeDestinations", "logs:describeExportTasks", "logs:describeFieldIndexes", "logs:describeIndexPolicies", "logs:describeLogGroups", "logs:describeLogStreams", "logs:describeMetricFilters", "logs:describeQueries", "logs:describeQueryDefinitions", "logs:describeResourcePolicies", "logs:describeSubscriptionFilters", "logs:getDataProtectionPolicy", "logs:getDelivery", "logs:getDeliveryDestination", "logs:getDeliveryDestinationPolicy", "logs:getDeliverySource", "logs:getIntegration", "logs:getLogAnomalyDetector", "logs:getLogDelivery", "logs:getLogGroupFields", "logs:getTransformer", "logs:listAnomalies", "logs:listIntegrations", "logs:listLogAnomalyDetectors", "logs:listLogDeliveries", "logs:listLogGroupsForQuery", "logs:testMetricFilter", "lookoutequipment:describeDataIngestionJob", "lookoutequipment:describeDataset", "lookoutequipment:describeInferenceScheduler", "lookoutequipment:describeModel", "lookoutequipment:listDataIngestionJobs", "lookoutequipment:listDatasets", "lookoutequipment:listInferenceExecutions", "lookoutequipment:listInferenceSchedulers", "lookoutequipment:listModels", "lookoutmetrics:describeAlert", "lookoutmetrics:describeAnomalyDetectionExecutions", "lookoutmetrics:describeAnomalyDetector", "lookoutmetrics:describeMetricSet", "lookoutmetrics:getAnomalyGroup", "lookoutmetrics:getDataQualityMetrics", "lookoutmetrics:getFeedback", "lookoutmetrics:getSampleData", "lookoutmetrics:listAlerts", "lookoutmetrics:listAnomalyDetectors", "lookoutmetrics:listAnomalyGroupSummaries", "lookoutmetrics:listAnomalyGroupTimeSeries", "lookoutmetrics:listMetricSets", "lookoutmetrics:listTagsForResource", "m2:getApplication", "m2:getApplicationVersion", "m2:getBatchJobExecution", "m2:getDataSetDetails", "m2:getDataSetImportTask", "m2:getDeployment", "m2:getEnvironment", "m2:listApplications", "m2:listApplicationVersions", "m2:listBatchJobDefinitions", "m2:listBatchJobExecutions", "m2:listDataSetImportHistory", "m2:listDataSets", "m2:listDeployments", "m2:listEngineVersions", "m2:listEnvironments", "machinelearning:describeBatchPredictions", "machinelearning:describeDataSources", "machinelearning:describeEvaluations", "machinelearning:describeMLModels", "machinelearning:getBatchPrediction", "machinelearning:getDataSource", "machinelearning:getEvaluation", "machinelearning:getMLModel", "macie2:getClassificationExportConfiguration", "macie2:getCustomDataIdentifier", "macie2:getFindings", "macie2:getFindingStatistics", "macie2:listClassificationJobs", "macie2:listCustomDataIdentifiers", "macie2:listFindings", "managedblockchain:getMember", "managedblockchain:getNetwork", "managedblockchain:getNode", "managedblockchain:listMembers", "managedblockchain:listNetworks", "managedblockchain:listNodes", "mediaconnect:describeFlow", "mediaconnect:listEntitlements", "mediaconnect:listFlows", "mediaconvert:describeEndpoints", "mediaconvert:getJob", "mediaconvert:getJobTemplate", "mediaconvert:getPreset", "mediaconvert:getQueue", "mediaconvert:listJobs", "mediaconvert:listJobTemplates", "medialive:describeChannel", "medialive:describeInput", "medialive:describeInputDevice", "medialive:describeInputSecurityGroup", "medialive:describeMultiplex", "medialive:describeOffering", "medialive:describeReservation", "medialive:describeSchedule", "medialive:getCloudWatchAlarmTemplate", "medialive:getCloudWatchAlarmTemplateGroup", "medialive:getEventBridgeRuleTemplate", "medialive:getEventBridgeRuleTemplateGroup", "medialive:getSignalMap", "medialive:listChannels", "medialive:listCloudWatchAlarmTemplateGroups", "medialive:listCloudWatchAlarmTemplates", "medialive:listEventBridgeRuleTemplateGroups", "medialive:listEventBridgeRuleTemplates", "medialive:listInputDevices", "medialive:listInputs", "medialive:listInputSecurityGroups", "medialive:listMultiplexes", "medialive:listOfferings", "medialive:listReservations", "medialive:listSignalMaps", "mediapackage:describeChannel", "mediapackage:describeOriginEndpoint", "mediapackage:listChannels", "mediapackage:listOriginEndpoints", "mediastore:describeContainer", "mediastore:getContainerPolicy", "mediastore:getCorsPolicy", "mediastore:listContainers", "mediatailor:getPlaybackConfiguration", "mediatailor:listPlaybackConfigurations", "medical-imaging:getDatastore", "medical-imaging:listDatastores", "memorydb:describeReservedNodesOfferings", "memorydb:listAllowedNodeTypeUpdates", "mgn:describeJobLogItems", "mgn:describeJobs", "mgn:describeLaunchConfigurationTemplates", "mgn:describeReplicationConfigurationTemplates", "mgn:describeSourceServers", "mgn:describeVcenterClients", "mgn:getLaunchConfiguration", "mgn:getReplicationConfiguration", "mgn:listApplications", "mgn:listSourceServerActions", "mgn:listTemplateActions", "mgn:listWaves", "mobiletargeting:getAdmChannel", "mobiletargeting:getApnsChannel", "mobiletargeting:getApnsSandboxChannel", "mobiletargeting:getApnsVoipChannel", "mobiletargeting:getApnsVoipSandboxChannel", "mobiletargeting:getApp", "mobiletargeting:getApplicationSettings", "mobiletargeting:getApps", "mobiletargeting:getBaiduChannel", "mobiletargeting:getCampaign", "mobiletargeting:getCampaignActivities", "mobiletargeting:getCampaigns", "mobiletargeting:getCampaignVersion", "mobiletargeting:getCampaignVersions", "mobiletargeting:getEmailChannel", "mobiletargeting:getEndpoint", "mobiletargeting:getEventStream", "mobiletargeting:getExportJob", "mobiletargeting:getExportJobs", "mobiletargeting:getGcmChannel", "mobiletargeting:getImportJob", "mobiletargeting:getImportJobs", "mobiletargeting:getJourney", "mobiletargeting:getJourneyExecutionActivityMetrics", "mobiletargeting:getJourneyExecutionMetrics", "mobiletargeting:getJourneyRunExecutionActivityMetrics", "mobiletargeting:getJourneyRunExecutionMetrics", "mobiletargeting:getJourneyRuns", "mobiletargeting:getSegment", "mobiletargeting:getSegmentImportJobs", "mobiletargeting:getSegments", "mobiletargeting:getSegmentVersion", "mobiletargeting:getSegmentVersions", "mobiletargeting:getSmsChannel", "mobiletargeting:listJourneys", "mobiletargeting:phoneNumberValidate", "mpa:getApprovalTeam", "mpa:getSession", "mpa:listApprovalTeams", "mq:describeBrokerInstanceOptions", "mq:describeBroker", "mq:describeConfiguration", "mq:describeConfigurationRevision", "mq:describeUser", "mq:listBrokers", "mq:listConfigurationRevisions", "mq:listConfigurations", "mq:listUsers", "network-firewall:describeFirewall", "network-firewall:describeFirewallPolicy", "network-firewall:describeFlowOperation", "network-firewall:describeLoggingConfiguration", "network-firewall:describeResourcePolicy", "network-firewall:describeRuleGroup", "network-firewall:describeRuleGroupMetadata", "network-firewall:describeTlsInspectionConfiguration", "network-firewall:describeVpcEndpointAssociation", "network-firewall:listAnalysisReports", "network-firewall:listFirewallPolicies", "network-firewall:listFirewalls", "network-firewall:listFlowOperationResults", "network-firewall:listFlowOperations", "network-firewall:listRuleGroups", "network-firewall:listTlsInspectionConfigurations", "network-firewall:listVpcEndpointAssociations", "networkflowmonitor:getMonitor", "networkflowmonitor:getScope", "networkflowmonitor:listMonitors", "networkflowmonitor:listScopes", "networkmanager:describeGlobalNetworks", "networkmanager:getConnectAttachment", "networkmanager:getConnections", "networkmanager:getConnectPeer", "networkmanager:getConnectPeerAssociations", "networkmanager:getCoreNetwork", "networkmanager:getCoreNetworkChangeEvents", "networkmanager:getCoreNetworkChangeSet", "networkmanager:getCoreNetworkPolicy", "networkmanager:getCustomerGatewayAssociations", "networkmanager:getDevices", "networkmanager:getDirectConnectGatewayAttachment", "networkmanager:getLinkAssociations", "networkmanager:getLinks", "networkmanager:getNetworkResourceCounts", "networkmanager:getNetworkResourceRelationships", "networkmanager:getNetworkResources", "networkmanager:getNetworkRoutes", "networkmanager:getNetworkTelemetry", "networkmanager:getResourcePolicy", "networkmanager:getRouteAnalysis", "networkmanager:getSites", "networkmanager:getSiteToSiteVpnAttachment", "networkmanager:getTransitGatewayConnectPeerAssociations", "networkmanager:getTransitGatewayPeering", "networkmanager:getTransitGatewayRegistrations", "networkmanager:getTransitGatewayRouteTableAttachment", "networkmanager:getVpcAttachment", "networkmanager:listAttachments", "networkmanager:listConnectPeers", "networkmanager:listCoreNetworkPolicyVersions", "networkmanager:listCoreNetworks", "networkmanager:listOrganizationServiceAccessStatus", "networkmanager:listPeerings", "networkmanager:listTagsForResource", "networkmonitor:getMonitor", "networkmonitor:getProbe", "networkmonitor:listMonitors", "notifications-contacts:getEmailContact", "notifications-contacts:listEmailContacts", "notifications:getEventRule", "notifications:getNotificationConfiguration", "notifications:getNotificationEvent", "notifications:listChannels", "notifications:listEventRules", "notifications:listNotificationConfigurations", "notifications:listNotificationEvents", "notifications:listNotificationHubs" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "AWSSupportActionsGroup3", "Action": [ "oam:getLink", "oam:getSink", "oam:getSinkPolicy", "oam:listAttachedLinks", "oam:listLinks", "oam:listSinks", "observabilityadmin:getTelemetryEvaluationStatus", "observabilityadmin:getTelemetryEvaluationStatusForOrganization", "observabilityadmin:listResourceTelemetry", "observabilityadmin:listResourceTelemetryForOrganization", "odb:getCloudAutonomousVmCluster", "odb:getCloudVmCluster", "odb:getOciOnboardingStatus", "odb:getOdbNetwork", "odb:getOdbPeeringConnection", "odb:listCloudAutonomousVmClusters", "odb:listCloudVmClusters", "odb:listOdbNetworks", "odb:listOdbPeeringConnections", "omics:getAnnotationImportJob", "omics:getAnnotationStore", "omics:getAnnotationStoreVersion", "omics:getReadSetActivationJob", "omics:getReadSetExportJob", "omics:getReadSetImportJob", "omics:getReadSetMetadata", "omics:getReference", "omics:getReferenceImportJob", "omics:getReferenceMetadata", "omics:getReferenceStore", "omics:getRun", "omics:getRunCache", "omics:getRunGroup", "omics:getRunTask", "omics:getSequenceStore", "omics:getShare", "omics:getVariantImportJob", "omics:getVariantStore", "omics:getWorkflow", "omics:getWorkflowVersion", "omics:listAnnotationImportJobs", "omics:listAnnotationStores", "omics:listAnnotationStoreVersions", "omics:listMultipartReadSetUploads", "omics:listReadSetActivationJobs", "omics:listReadSetExportJobs", "omics:listReadSetImportJobs", "omics:listReadSets", "omics:listReadSetUploadParts", "omics:listReferenceImportJobs", "omics:listReferences", "omics:listReferenceStores", "omics:listRunCaches", "omics:listRunGroups", "omics:listRuns", "omics:listRunTasks", "omics:listSequenceStores", "omics:listShares", "omics:listVariantImportJobs", "omics:listVariantStores", "omics:listWorkflows", "omics:listWorkflowVersions", "opsworks-cm:describeAccountAttributes", "opsworks-cm:describeBackups", "opsworks-cm:describeEvents", "opsworks-cm:describeNodeAssociationStatus", "opsworks-cm:describeServers", "opsworks:describeAgentVersions", "opsworks:describeApps", "opsworks:describeCommands", "opsworks:describeDeployments", "opsworks:describeEcsClusters", "opsworks:describeElasticIps", "opsworks:describeElasticLoadBalancers", "opsworks:describeInstances", "opsworks:describeLayers", "opsworks:describeLoadBasedAutoScaling", "opsworks:describeMyUserProfile", "opsworks:describePermissions", "opsworks:describeRaidArrays", "opsworks:describeRdsDbInstances", "opsworks:describeServiceErrors", "opsworks:describeStackProvisioningParameters", "opsworks:describeStacks", "opsworks:describeStackSummary", "opsworks:describeTimeBasedAutoScaling", "opsworks:describeUserProfiles", "opsworks:describeVolumes", "opsworks:getHostnameSuggestion", "organizations:describeAccount", "organizations:describeCreateAccountStatus", "organizations:describeEffectivePolicy", "organizations:describeHandshake", "organizations:describeOrganization", "organizations:describeOrganizationalUnit", "organizations:describePolicy", "organizations:describeResourcePolicy", "organizations:listAccounts", "organizations:listAccountsForParent", "organizations:listAWSServiceAccessForOrganization", "organizations:listChildren", "organizations:listCreateAccountStatus", "organizations:listDelegatedAdministrators", "organizations:listDelegatedServicesForAccount", "organizations:listHandshakesForAccount", "organizations:listHandshakesForOrganization", "organizations:listOrganizationalUnitsForParent", "organizations:listParents", "organizations:listPolicies", "organizations:listPoliciesForTarget", "organizations:listRoots", "organizations:listTagsForResource", "organizations:listTargetsForPolicy", "osis:getPipeline", "osis:getPipelineBlueprint", "osis:getPipelineChangeProgress", "osis:listPipelineBlueprints", "osis:listPipelines", "osis:validatePipeline", "outposts:getCapacityTask", "outposts:getCatalogItem", "outposts:getConnection", "outposts:getOrder", "outposts:getOutpost", "outposts:getOutpostInstanceTypes", "outposts:getOutpostSupportedInstanceTypes", "outposts:getSite", "outposts:listAssets", "outposts:listAssetInstances", "outposts:listBlockingInstancesForCapacityTask", "outposts:listCapacityTasks", "outposts:listCatalogItems", "outposts:listOrders", "outposts:listOutposts", "outposts:listSites", "payment-cryptography:getAlias", "payment-cryptography:getKey", "payment-cryptography:listAliases", "payment-cryptography:listKeys", "pcs:getCluster", "pcs:getComputeNodeGroup", "pcs:getQueue", "pcs:listClusters", "pcs:listComputeNodeGroups", "pcs:listQueues", "personalize:describeAlgorithm", "personalize:describeBatchInferenceJob", "personalize:describeBatchSegmentJob", "personalize:describeCampaign", "personalize:describeDataset", "personalize:describeDatasetExportJob", "personalize:describeDatasetGroup", "personalize:describeDatasetImportJob", "personalize:describeEventTracker", "personalize:describeFeatureTransformation", "personalize:describeFilter", "personalize:describeRecipe", "personalize:describeRecommender", "personalize:describeSchema", "personalize:describeSolution", "personalize:describeSolutionVersion", "personalize:getPersonalizedRanking", "personalize:getRecommendations", "personalize:getSolutionMetrics", "personalize:listBatchInferenceJobs", "personalize:listBatchSegmentJobs", "personalize:listCampaigns", "personalize:listDatasetExportJobs", "personalize:listDatasetGroups", "personalize:listDatasetImportJobs", "personalize:listDatasets", "personalize:listEventTrackers", "personalize:listRecipes", "personalize:listRecommenders", "personalize:listSchemas", "personalize:listSolutions", "personalize:listSolutionVersions", "pipes:describePipe", "pipes:listPipes", "pipes:listTagsForResource", "polly:describeVoices", "polly:getLexicon", "polly:listLexicons", "pricing:describeServices", "pricing:getAttributeValues", "pricing:getProducts", "private-networks:getDeviceIdentifier", "private-networks:getNetwork", "private-networks:getNetworkResource", "private-networks:listDeviceIdentifiers", "private-networks:listNetworkResources", "private-networks:listNetworks", "qbusiness:getApplication", "qbusiness:getDataSource", "qbusiness:getIndex", "qbusiness:getRetriever", "qbusiness:getWebExperience", "qbusiness:listApplications", "qbusiness:listDataSources", "qbusiness:listDataSourceSyncJobs", "qbusiness:listIndices", "qbusiness:listRetrievers", "qbusiness:listWebExperiences", "quicksight:describeAccountCustomization", "quicksight:describeAccountSettings", "quicksight:describeAccountSubscription", "quicksight:describeAnalysis", "quicksight:describeAnalysisPermissions", "quicksight:describeDashboard", "quicksight:describeDashboardPermissions", "quicksight:describeDataSet", "quicksight:describeDataSetPermissions", "quicksight:describeDataSetRefreshProperties", "quicksight:describeDataSource", "quicksight:describeDataSourcePermissions", "quicksight:describeFolder", "quicksight:describeFolderPermissions", "quicksight:describeFolderResolvedPermissions", "quicksight:describeGroup", "quicksight:describeGroupMembership", "quicksight:describeIAMPolicyAssignment", "quicksight:describeIngestion", "quicksight:describeIpRestriction", "quicksight:describeNamespace", "quicksight:describeRefreshSchedule", "quicksight:describeTemplate", "quicksight:describeTemplateAlias", "quicksight:describeTemplatePermissions", "quicksight:describeTheme", "quicksight:describeThemeAlias", "quicksight:describeThemePermissions", "quicksight:describeTopic", "quicksight:describeTopicPermissions", "quicksight:describeTopicRefresh", "quicksight:describeTopicRefreshSchedule", "quicksight:describeUser", "quicksight:describeVPCConnection", "quicksight:listAnalyses", "quicksight:listDashboards", "quicksight:listDashboardVersions", "quicksight:listDataSets", "quicksight:listDataSources", "quicksight:listFolderMembers", "quicksight:listFolders", "quicksight:listGroupMemberships", "quicksight:listGroups", "quicksight:listIAMPolicyAssignments", "quicksight:listIAMPolicyAssignmentsForUser", "quicksight:listIngestions", "quicksight:listNamespaces", "quicksight:listRefreshSchedules", "quicksight:listTemplateAliases", "quicksight:listTemplates", "quicksight:listTemplateVersions", "quicksight:listThemeAliases", "quicksight:listThemes", "quicksight:listThemeVersions", "quicksight:listTopicRefreshSchedules", "quicksight:listTopics", "quicksight:listUserGroups", "quicksight:listUsers", "quicksight:listVPCConnections", "quicksight:searchAnalyses", "quicksight:searchDashboards", "quicksight:searchDataSets", "quicksight:searchDataSources", "quicksight:searchFolders", "quicksight:searchGroups", "ram:getPermission", "ram:getResourceShareAssociations", "ram:getResourceShareInvitations", "ram:getResourceShares", "ram:listPendingInvitationResources", "ram:listPrincipals", "ram:listResources", "ram:listResourceSharePermissions", "rbin:getRule", "rbin:listRules", "rds:describeAccountAttributes", "rds:describeBlueGreenDeployments", "rds:describeCertificates", "rds:describeDBClusterAutomatedBackups", "rds:describeDBClusterBacktracks", "rds:describeDBClusterEndpoints", "rds:describeDBClusterParameterGroups", "rds:describeDBClusterParameters", "rds:describeDBClusters", "rds:describeDBClusterSnapshots", "rds:describeDBClusterSnapshotAttributes", "rds:describeDBEngineVersions", "rds:describeDBInstanceAutomatedBackups", "rds:describeDBInstances", "rds:describeDBLogFiles", "rds:describeDBMajorEngineVersions", "rds:describeDBParameterGroups", "rds:describeDBParameters", "rds:describeDBProxies", "rds:describeDBProxyEndpoints", "rds:describeDBProxyTargetGroups", "rds:describeDBProxyTargets", "rds:describeDBRecommendations", "rds:describeDBSecurityGroups", "rds:describeDBShardGroups", "rds:describeDBSnapshotAttributes", "rds:describeDBSnapshots", "rds:describeDBSnapshotTenantDatabases", "rds:describeDBSubnetGroups", "rds:describeEngineDefaultClusterParameters", "rds:describeEngineDefaultParameters", "rds:describeEventCategories", "rds:describeEvents", "rds:describeEventSubscriptions", "rds:describeExportTasks", "rds:describeGlobalClusters", "rds:describeIntegrations", "rds:describeOptionGroupOptions", "rds:describeOptionGroups", "rds:describeOrderableDBInstanceOptions", "rds:describePendingMaintenanceActions", "rds:describeReservedDBInstances", "rds:describeReservedDBInstancesOfferings", "rds:describeSourceRegions", "rds:describeTenantDatabases", "rds:describeValidDBInstanceModifications", "rds:listTagsForResource", "redshift-data:describeStatement", "redshift-data:listStatements", "redshift-serverless:getCustomDomainAssociation", "redshift-serverless:getEndpointAccess", "redshift-serverless:getNamespace", "redshift-serverless:getRecoveryPoint", "redshift-serverless:getScheduledAction", "redshift-serverless:getSnapshot", "redshift-serverless:getTableRestoreStatus", "redshift-serverless:getUsageLimit", "redshift-serverless:getWorkgroup", "redshift-serverless:listCustomDomainAssociations", "redshift-serverless:listEndpointAccess", "redshift-serverless:listNamespaces", "redshift-serverless:listRecoveryPoints", "redshift-serverless:listSnapshotCopyConfigurations", "redshift-serverless:listSnapshots", "redshift-serverless:listTableRestoreStatus", "redshift-serverless:listUsageLimits", "redshift-serverless:listWorkgroups", "redshift:describeClusterDbRevisions", "redshift:describeClusterParameterGroups", "redshift:describeClusterParameters", "redshift:describeClusters", "redshift:describeClusterSecurityGroups", "redshift:describeClusterSnapshots", "redshift:describeClusterSubnetGroups", "redshift:describeClusterTracks", "redshift:describeClusterVersions", "redshift:describeCustomDomainAssociations", "redshift:describeDataShares", "redshift:describeDataSharesForConsumer", "redshift:describeDataSharesForProducer", "redshift:describeDefaultClusterParameters", "redshift:describeEndpointAccess", "redshift:describeEndpointAuthorization", "redshift:describeEventCategories", "redshift:describeEvents", "redshift:describeEventSubscriptions", "redshift:describeHsmClientCertificates", "redshift:describeHsmConfigurations", "redshift:describeInboundIntegrations", "redshift:describeLoggingStatus", "redshift:describeNodeConfigurationOptions", "redshift:describeOrderableClusterOptions", "redshift:describeRedshiftIdcApplications", "redshift:describeReservedNodeOfferings", "redshift:describeReservedNodes", "redshift:describeResize", "redshift:describeSnapshotCopyGrants", "redshift:describeSnapshotSchedules", "redshift:describeStorage", "redshift:describeTableRestoreStatus", "redshift:describeTags", "redshift:describeUsageLimits", "rekognition:listCollections", "rekognition:listFaces", "resiliencehub:describeApp", "resiliencehub:describeAppAssessment", "resiliencehub:describeAppVersion", "resiliencehub:describeAppVersionAppComponent", "resiliencehub:describeAppVersionResource", "resiliencehub:describeAppVersionResourcesResolutionStatus", "resiliencehub:describeAppVersionTemplate", "resiliencehub:describeDraftAppVersionResourcesImportStatus", "resiliencehub:describeResiliencyPolicy", "resiliencehub:describeResourceGroupingRecommendationTask", "resiliencehub:listAlarmRecommendations", "resiliencehub:listAppAssessmentComplianceDrifts", "resiliencehub:listAppAssessmentResourceDrifts", "resiliencehub:listAppAssessments", "resiliencehub:listAppComponentCompliances", "resiliencehub:listAppComponentRecommendations", "resiliencehub:listAppInputSources", "resiliencehub:listApps", "resiliencehub:listAppVersionAppComponents", "resiliencehub:listAppVersionResourceMappings", "resiliencehub:listAppVersionResources", "resiliencehub:listAppVersions", "resiliencehub:listRecommendationTemplates", "resiliencehub:listResiliencyPolicies", "resiliencehub:listResourceGroupingRecommendations", "resiliencehub:listSopRecommendations", "resiliencehub:listSuggestedResiliencyPolicies", "resiliencehub:listTestRecommendations", "resiliencehub:listUnsupportedAppVersionResources", "resource-explorer-2:getAccountLevelServiceConfiguration", "resource-explorer-2:getIndex", "resource-explorer-2:getView", "resource-explorer-2:listIndexes", "resource-explorer-2:listViews", "resource-explorer-2:search", "resource-groups:getGroup", "resource-groups:getGroupQuery", "resource-groups:getTags", "resource-groups:listGroupResources", "resource-groups:listGroups", "resource-groups:searchResources", "robomaker:batchDescribeSimulationJob", "robomaker:describeDeploymentJob", "robomaker:describeFleet", "robomaker:describeRobot", "robomaker:describeRobotApplication", "robomaker:describeSimulationApplication", "robomaker:describeSimulationJob", "robomaker:listDeploymentJobs", "robomaker:listFleets", "robomaker:listRobotApplications", "robomaker:listRobots", "robomaker:listSimulationApplications", "robomaker:listSimulationJobs", "rolesanywhere:getProfile", "rolesanywhere:getTrustAnchor", "rolesanywhere:listProfiles", "rolesanywhere:listTrustAnchors", "route53-recovery-cluster:getRoutingControlState", "route53-recovery-cluster:listRoutingControls", "route53-recovery-control-config:describeControlPanel", "route53-recovery-control-config:describeRoutingControl", "route53-recovery-control-config:describeSafetyRule", "route53-recovery-control-config:listControlPanels", "route53-recovery-control-config:listRoutingControls", "route53-recovery-control-config:listSafetyRules", "route53-recovery-readiness:getCell", "route53-recovery-readiness:getCellReadinessSummary", "route53-recovery-readiness:getReadinessCheck", "route53-recovery-readiness:getReadinessCheckResourceStatus", "route53-recovery-readiness:getReadinessCheckStatus", "route53-recovery-readiness:getRecoveryGroup", "route53-recovery-readiness:getRecoveryGroupReadinessSummary", "route53-recovery-readiness:listCells", "route53-recovery-readiness:listReadinessChecks", "route53-recovery-readiness:listRecoveryGroups", "route53-recovery-readiness:listResourceSets", "route53:getAccountLimit", "route53:getChange", "route53:getCheckerIpRanges", "route53:getDNSSEC", "route53:getGeoLocation", "route53:getHealthCheck", "route53:getHealthCheckCount", "route53:getHealthCheckLastFailureReason", "route53:getHealthCheckStatus", "route53:getHostedZone", "route53:getHostedZoneCount", "route53:getHostedZoneLimit", "route53:getQueryLoggingConfig", "route53:getReusableDelegationSet", "route53:getTrafficPolicy", "route53:getTrafficPolicyInstance", "route53:getTrafficPolicyInstanceCount", "route53:listCidrBlocks", "route53:listCidrCollections", "route53:listCidrLocations", "route53:listGeoLocations", "route53:listHealthChecks", "route53:listHostedZones", "route53:listHostedZonesByName", "route53:listHostedZonesByVpc", "route53:listQueryLoggingConfigs", "route53:listResourceRecordSets", "route53:listReusableDelegationSets", "route53:listTrafficPolicies", "route53:listTrafficPolicyInstances", "route53:listTrafficPolicyInstancesByHostedZone", "route53:listTrafficPolicyInstancesByPolicy", "route53:listTrafficPolicyVersions", "route53:listVPCAssociationAuthorizations", "route53domains:checkDomainAvailability", "route53domains:getContactReachabilityStatus", "route53domains:getDomainDetail", "route53domains:getOperationDetail", "route53domains:listDomains", "route53domains:listOperations", "route53domains:listPrices", "route53domains:listTagsForDomain", "route53domains:viewBilling", "route53profiles:getProfile", "route53profiles:getProfileAssociation", "route53profiles:getProfileResourceAssociation", "route53profiles:listProfileAssociations", "route53profiles:listProfileResourceAssociations", "route53profiles:listProfiles", "route53profiles:listTagsForResource", "route53resolver:getFirewallConfig", "route53resolver:getFirewallDomainList", "route53resolver:getFirewallRuleGroup", "route53resolver:getFirewallRuleGroupAssociation", "route53resolver:getFirewallRuleGroupPolicy", "route53resolver:getOutpostResolver", "route53resolver:getResolverDnssecConfig", "route53resolver:getResolverQueryLogConfig", "route53resolver:getResolverQueryLogConfigAssociation", "route53resolver:getResolverQueryLogConfigPolicy", "route53resolver:getResolverRule", "route53resolver:getResolverRuleAssociation", "route53resolver:getResolverRulePolicy", "route53resolver:listFirewallConfigs", "route53resolver:listFirewallDomainLists", "route53resolver:listFirewallDomains", "route53resolver:listFirewallRuleGroupAssociations", "route53resolver:listFirewallRuleGroups", "route53resolver:listFirewallRules", "route53resolver:listOutpostResolvers", "route53resolver:listResolverConfigs", "route53resolver:listResolverDnssecConfigs", "route53resolver:listResolverEndpointIpAddresses", "route53resolver:listResolverEndpoints", "route53resolver:listResolverQueryLogConfigAssociations", "route53resolver:listResolverQueryLogConfigs", "route53resolver:listResolverRuleAssociations", "route53resolver:listResolverRules", "route53resolver:listTagsForResource", "rum:batchGetRumMetricDefinitions", "rum:getAppMonitor", "rum:listAppMonitors", "rum:listRumMetricsDestinations", "s3-outposts:listEndpoints", "s3-outposts:listOutpostsWithS3", "s3-outposts:listRegionalBuckets", "s3-outposts:listSharedEndpoints", "s3:describeJob", "s3:describeMultiRegionAccessPointOperation", "s3:getAccelerateConfiguration", "s3:getAccessGrant", "s3:getAccessGrantsInstance", "s3:getAccessGrantsInstanceResourcePolicy", "s3:getAccessGrantsLocation", "s3:getAccessPoint", "s3:getAccessPointConfigurationForObjectLambda", "s3:getAccessPointForObjectLambda", "s3:getAccessPointPolicy", "s3:getAccessPointPolicyForObjectLambda", "s3:getAccessPointPolicyStatus", "s3:getAccessPointPolicyStatusForObjectLambda", "s3:getAccountPublicAccessBlock", "s3:getAnalyticsConfiguration", "s3:getBucketAcl", "s3:getBucketCORS", "s3:getBucketLocation", "s3:getBucketLogging", "s3:getBucketNotification", "s3:getBucketObjectLockConfiguration", "s3:getBucketOwnershipControls", "s3:getBucketPolicy", "s3:getBucketPolicyStatus", "s3:getBucketPublicAccessBlock", "s3:getBucketRequestPayment", "s3:getBucketVersioning", "s3:getBucketWebsite", "s3:getEncryptionConfiguration", "s3:getIntelligentTieringConfiguration", "s3:getInventoryConfiguration", "s3:getLifecycleConfiguration", "s3:getMetricsConfiguration", "s3:getMultiRegionAccessPoint", "s3:getMultiRegionAccessPointPolicy", "s3:getMultiRegionAccessPointPolicyStatus", "s3:getMultiRegionAccessPointRoutes", "s3:getObjectAcl", "s3:getObjectLegalHold", "s3:getObjectRetention", "s3:getReplicationConfiguration", "s3:getStorageLensConfiguration", "s3:listAccessGrants", "s3:listAccessGrantsInstances", "s3:listAccessGrantsLocations", "s3:listAccessPoints", "s3:listAccessPointsForObjectLambda", "s3:listAllMyBuckets", "s3:listBucket", "s3:listBucketMultipartUploads", "s3:listBucketVersions", "s3:listJobs", "s3:listMultipartUploadParts", "s3:listMultiRegionAccessPoints", "s3:listStorageLensConfigurations", "s3express:getBucketPolicy", "s3express:listAllMyDirectoryBuckets", "s3tables:getNamespace", "s3tables:getTable", "s3tables:getTableBucket", "s3tables:getTableBucketEncryption", "s3tables:getTableBucketMaintenanceConfiguration", "s3tables:getTableBucketPolicy", "s3tables:getTableEncryption", "s3tables:getTableMaintenanceConfiguration", "s3tables:getTableMaintenanceJobStatus", "s3tables:getTableMetadataLocation", "s3tables:getTablePolicy", "s3tables:listNamespaces", "s3tables:listTableBuckets", "s3tables:listTables", "s3vectors:getIndex", "s3vectors:getVectorBucket", "s3vectors:getVectorBucketPolicy", "s3vectors:listIndexes", "s3vectors:listVectorBuckets", "sagemaker:describeAction", "sagemaker:describeAlgorithm", "sagemaker:describeApp", "sagemaker:describeAppImageConfig", "sagemaker:describeArtifact", "sagemaker:describeAutoMLJob", "sagemaker:describeCluster", "sagemaker:describeClusterNode", "sagemaker:describeCodeRepository", "sagemaker:describeCompilationJob", "sagemaker:describeContext", "sagemaker:describeDataQualityJobDefinition", "sagemaker:describeDevice", "sagemaker:describeDeviceFleet", "sagemaker:describeDomain", "sagemaker:describeEdgeDeploymentPlan", "sagemaker:describeEdgePackagingJob", "sagemaker:describeEndpoint", "sagemaker:describeEndpointConfig", "sagemaker:describeExperiment", "sagemaker:describeFeatureGroup", "sagemaker:describeFeatureMetadata", "sagemaker:describeFlowDefinition", "sagemaker:describeHub", "sagemaker:describeHubContent", "sagemaker:describeHumanTaskUi", "sagemaker:describeHyperParameterTuningJob", "sagemaker:describeImage", "sagemaker:describeImageVersion", "sagemaker:describeInferenceComponent", "sagemaker:describeInferenceExperiment", "sagemaker:describeInferenceRecommendationsJob", "sagemaker:describeLabelingJob", "sagemaker:describeMlflowTrackingServer", "sagemaker:describeModel", "sagemaker:describeModelBiasJobDefinition", "sagemaker:describeModelCard", "sagemaker:describeModelCardExportJob", "sagemaker:describeModelExplainabilityJobDefinition", "sagemaker:describeModelPackage", "sagemaker:describeModelPackageGroup", "sagemaker:describeModelQualityJobDefinition", "sagemaker:describeMonitoringSchedule", "sagemaker:describeNotebookInstance", "sagemaker:describeNotebookInstanceLifecycleConfig", "sagemaker:describePipeline", "sagemaker:describePipelineDefinitionForExecution", "sagemaker:describePipelineExecution", "sagemaker:describePartnerApp", "sagemaker:describeProcessingJob", "sagemaker:describeProject", "sagemaker:describeSpace", "sagemaker:describeStudioLifecycleConfig", "sagemaker:describeSubscribedWorkteam", "sagemaker:describeTrainingJob", "sagemaker:describeTransformJob", "sagemaker:describeTrial", "sagemaker:describeTrialComponent", "sagemaker:describeUserProfile", "sagemaker:describeWorkforce", "sagemaker:describeWorkteam", "sagemaker:getDeviceFleetReport", "sagemaker:getModelPackageGroupPolicy", "sagemaker:getSagemakerServicecatalogPortfolioStatus", "sagemaker:listActions", "sagemaker:listAlgorithms", "sagemaker:listAliases", "sagemaker:listAppImageConfigs", "sagemaker:listApps", "sagemaker:listArtifacts", "sagemaker:listAssociations", "sagemaker:listAutoMLJobs", "sagemaker:listCandidatesForAutoMLJob", "sagemaker:listClusterNodes", "sagemaker:listClusters", "sagemaker:listCodeRepositories", "sagemaker:listCompilationJobs", "sagemaker:listContexts", "sagemaker:listDataQualityJobDefinitions", "sagemaker:listDeviceFleets", "sagemaker:listDevices", "sagemaker:listDomains", "sagemaker:listEdgeDeploymentPlans", "sagemaker:listEdgePackagingJobs", "sagemaker:listEndpointConfigs", "sagemaker:listEndpoints", "sagemaker:listExperiments", "sagemaker:listFeatureGroups", "sagemaker:listFlowDefinitions", "sagemaker:listHubContents", "sagemaker:listHubContentVersions", "sagemaker:listHubs", "sagemaker:listHumanTaskUis", "sagemaker:listHyperParameterTuningJobs", "sagemaker:listImages", "sagemaker:listImageVersions", "sagemaker:listInferenceComponents", "sagemaker:listInferenceExperiments", "sagemaker:listInferenceRecommendationsJobs", "sagemaker:listInferenceRecommendationsJobSteps", "sagemaker:listLabelingJobs", "sagemaker:listLabelingJobsForWorkteam", "sagemaker:listLineageGroups", "sagemaker:listMlflowTrackingServers", "sagemaker:listModelBiasJobDefinitions", "sagemaker:listModelCardExportJobs", "sagemaker:listModelCards", "sagemaker:listModelCardVersions", "sagemaker:listModelExplainabilityJobDefinitions", "sagemaker:listModelMetadata", "sagemaker:listModelPackageGroups", "sagemaker:listModelPackages", "sagemaker:listModelQualityJobDefinitions", "sagemaker:listModels", "sagemaker:listMonitoringAlertHistory", "sagemaker:listMonitoringAlerts", "sagemaker:listMonitoringExecutions", "sagemaker:listMonitoringSchedules", "sagemaker:listNotebookInstanceLifecycleConfigs", "sagemaker:listNotebookInstances", "sagemaker:listPartnerApps", "sagemaker:listPipelineExecutions", "sagemaker:listPipelineExecutionSteps", "sagemaker:listPipelineParametersForExecution", "sagemaker:listPipelines", "sagemaker:listProcessingJobs", "sagemaker:listProjects", "sagemaker:listSpaces", "sagemaker:listStageDevices", "sagemaker:listStudioLifecycleConfigs", "sagemaker:listSubscribedWorkteams", "sagemaker:listTags", "sagemaker:listTrainingJobs", "sagemaker:listTrainingJobsForHyperParameterTuningJob", "sagemaker:listTransformJobs", "sagemaker:listTrialComponents", "sagemaker:listTrials", "sagemaker:listUserProfiles", "sagemaker:listWorkforces", "sagemaker:listWorkteams", "savingsplans:describeSavingsPlans", "scheduler:getSchedule", "scheduler:getScheduleGroup", "scheduler:listScheduleGroups", "scheduler:listSchedules", "schemas:describeCodeBinding", "schemas:describeDiscoverer", "schemas:describeRegistry", "schemas:describeSchema", "schemas:getCodeBindingSource", "schemas:getDiscoveredSchema", "schemas:getResourcePolicy", "schemas:listDiscoverers", "schemas:listRegistries", "schemas:listSchemas", "schemas:listSchemaVersions", "sdb:domainMetadata", "sdb:listDomains", "secretsmanager:describeSecret", "secretsmanager:getResourcePolicy", "secretsmanager:listSecrets", "secretsmanager:listSecretVersionIds", "securityhub:batchGetAutomationRules", "securityhub:batchGetConfigurationPolicyAssociations", "securityhub:describeHub", "securityhub:describeOrganizationConfiguration", "securityhub:getConfigurationPolicy", "securityhub:getConfigurationPolicyAssociation", "securityhub:getEnabledStandards", "securityhub:getFindingAggregator", "securityhub:getFindingHistory", "securityhub:getFindings", "securityhub:getInsightResults", "securityhub:getInsights", "securityhub:getMasterAccount", "securityhub:getMembers", "securityhub:listAutomationRules", "securityhub:listConfigurationPolicies", "securityhub:listConfigurationPolicyAssociations", "securityhub:listEnabledProductsForImport", "securityhub:listFindingAggregators", "securityhub:listInvitations", "securityhub:listMembers", "securitylake:getDataLakeExceptionSubscription", "securitylake:getDataLakeOrganizationConfiguration", "securitylake:getDataLakeSources", "securitylake:getSubscriber", "securitylake:listDataLakeExceptions", "securitylake:listDataLakes", "securitylake:listLogSources", "securitylake:listSubscribers", "serverlessrepo:getApplication", "serverlessrepo:getApplicationPolicy", "serverlessrepo:getCloudFormationTemplate", "serverlessrepo:listApplicationDependencies", "serverlessrepo:listApplications", "serverlessrepo:listApplicationVersions", "servicecatalog:describeConstraint", "servicecatalog:describePortfolio", "servicecatalog:describeProduct", "servicecatalog:describeProductAsAdmin", "servicecatalog:describeProductView", "servicecatalog:describeProvisioningArtifact", "servicecatalog:describeProvisioningParameters", "servicecatalog:describeRecord", "servicecatalog:listAcceptedPortfolioShares", "servicecatalog:listConstraintsForPortfolio", "servicecatalog:listLaunchPaths", "servicecatalog:listPortfolioAccess", "servicecatalog:listPortfolios", "servicecatalog:listPortfoliosForProduct", "servicecatalog:listPrincipalsForPortfolio", "servicecatalog:listProvisioningArtifacts", "servicecatalog:listRecordHistory", "servicecatalog:scanProvisionedProducts", "servicecatalog:searchProducts", "servicequotas:getAssociationForServiceQuotaTemplate", "servicequotas:getAWSDefaultServiceQuota", "servicequotas:getRequestedServiceQuotaChange", "servicequotas:getServiceQuota", "servicequotas:getServiceQuotaIncreaseRequestFromTemplate", "servicequotas:listAWSDefaultServiceQuotas", "servicequotas:listRequestedServiceQuotaChangeHistory", "servicequotas:listRequestedServiceQuotaChangeHistoryByQuota", "servicequotas:listServiceQuotaIncreaseRequestsInTemplate", "servicequotas:listServiceQuotas", "servicequotas:listServices", "ses:batchGetMetricData", "ses:describeActiveReceiptRuleSet", "ses:describeConfigurationSet", "ses:describeReceiptRule", "ses:describeReceiptRuleSet", "ses:getAccount", "ses:getAccountSendingEnabled", "ses:getAddonInstance", "ses:getAddonSubscription", "ses:getArchive", "ses:getArchiveExport", "ses:getArchiveSearch", "ses:getBlacklistReports", "ses:getConfigurationSet", "ses:getConfigurationSetEventDestinations", "ses:getContactList", "ses:getDedicatedIp", "ses:getDedicatedIpPool", "ses:getDedicatedIps", "ses:getDeliverabilityDashboardOptions", "ses:getDeliverabilityTestReport", "ses:getDomainDeliverabilityCampaign", "ses:getDomainStatisticsReport", "ses:getEmailIdentity", "ses:getIdentityDkimAttributes", "ses:getIdentityMailFromDomainAttributes", "ses:getIdentityNotificationAttributes", "ses:getIdentityPolicies", "ses:getIdentityVerificationAttributes", "ses:getImportJob", "ses:getIngressPoint", "ses:getMessageInsights", "ses:getRelay", "ses:getRuleSet", "ses:getTrafficPolicy", "ses:getSendQuota", "ses:getSendStatistics", "ses:listConfigurationSets", "ses:listAddonInstances", "ses:listAddonSubscriptions", "ses:listArchiveExports", "ses:listArchives", "ses:listArchiveSearches", "ses:listContactLists", "ses:listContacts", "ses:listCustomVerificationEmailTemplates", "ses:listDedicatedIpPools", "ses:listDeliverabilityTestReports", "ses:listDomainDeliverabilityCampaigns", "ses:listEmailIdentities", "ses:listEmailTemplates", "ses:listIdentities", "ses:listIdentityPolicies", "ses:listImportJobs", "ses:listIngressPoints", "ses:listReceiptFilters", "ses:listReceiptRuleSets", "ses:listRelays", "ses:listRuleSets", "ses:listRecommendations", "ses:listTagsForResource", "ses:listTemplates", "ses:listTrafficPolicies", "ses:listVerifiedEmailAddresses", "shield:describeAttack", "shield:describeProtection", "shield:describeSubscription", "shield:listAttacks", "shield:listProtections", "signer:describeSigningJob", "signer:getRevocationStatus", "signer:getSigningPlatform", "signer:getSigningProfile", "signer:listProfilePermissions", "signer:listSigningJobs", "signer:listSigningPlatforms", "signer:listSigningProfiles", "sms-voice:getConfigurationSetEventDestinations", "sms:getConnectors", "sms:getReplicationJobs", "sms:getReplicationRuns", "sms:getServers", "snowball:describeAddress", "snowball:describeAddresses", "snowball:describeJob", "snowball:getSnowballUsage", "snowball:listJobs", "snowball:listServiceVersions", "sns:checkIfPhoneNumberIsOptedOut", "sns:getDataProtectionPolicy", "sns:getEndpointAttributes", "sns:getPlatformApplicationAttributes", "sns:getSMSAttributes", "sns:getSMSSandboxAccountStatus", "sns:getSubscriptionAttributes", "sns:getTopicAttributes", "sns:listEndpointsByPlatformApplication", "sns:listOriginationNumbers", "sns:listPhoneNumbersOptedOut", "sns:listPlatformApplications", "sns:listSMSSandboxPhoneNumbers", "sns:listSubscriptions", "sns:listSubscriptionsByTopic", "sns:listTopics", "sqs:getQueueAttributes", "sqs:getQueueUrl", "sqs:listDeadLetterSourceQueues", "sqs:listMessageMoveTasks", "sqs:listQueues", "ssm-contacts:describeEngagement", "ssm-contacts:describePage", "ssm-contacts:getContact", "ssm-contacts:getContactChannel", "ssm-contacts:getContactPolicy", "ssm-contacts:getRotation", "ssm-contacts:getRotationOverride", "ssm-contacts:listContactChannels", "ssm-contacts:listContacts", "ssm-contacts:listEngagements", "ssm-contacts:listPageReceipts", "ssm-contacts:listPageResolutions", "ssm-contacts:listPagesByContact", "ssm-contacts:listPagesByEngagement", "ssm-contacts:listPreviewRotationShifts", "ssm-contacts:listRotationOverrides", "ssm-contacts:listRotations", "ssm-contacts:listRotationShifts", "ssm-incidents:batchGetIncidentFindings", "ssm-incidents:getIncidentRecord", "ssm-incidents:getReplicationSet", "ssm-incidents:getResourcePolicies", "ssm-incidents:getResponsePlan", "ssm-incidents:getTimelineEvent", "ssm-incidents:listIncidentFindings", "ssm-incidents:listIncidentRecords", "ssm-incidents:listRelatedItems", "ssm-incidents:listReplicationSets", "ssm-incidents:listResponsePlans", "ssm-incidents:listTimelineEvents", "ssm-quicksetup:getConfiguration", "ssm-quicksetup:getConfigurationManager", "ssm-quicksetup:getServiceSettings", "ssm-quicksetup:listConfigurationManagers", "ssm-quicksetup:listConfigurations", "ssm-quicksetup:listQuickSetupTypes", "ssm-sap:getApplication", "ssm-sap:getComponent", "ssm-sap:getDatabase", "ssm-sap:getOperation", "ssm-sap:getResourcePermission", "ssm-sap:listApplications", "ssm-sap:listComponents", "ssm-sap:listDatabases", "ssm-sap:listOperations", "ssm:describeActivations", "ssm:describeAssociation", "ssm:describeAssociationExecutions", "ssm:describeAssociationExecutionTargets", "ssm:describeAutomationExecutions", "ssm:describeAutomationStepExecutions", "ssm:describeAvailablePatches", "ssm:describeDocument", "ssm:describeDocumentPermission", "ssm:describeEffectiveInstanceAssociations", "ssm:describeEffectivePatchesForPatchBaseline", "ssm:describeInstanceAssociationsStatus", "ssm:describeInstanceInformation", "ssm:describeInstancePatches", "ssm:describeInstancePatchStates", "ssm:describeInstancePatchStatesForPatchGroup", "ssm:describeInstanceProperties", "ssm:describeInventoryDeletions", "ssm:describeMaintenanceWindowExecutions", "ssm:describeMaintenanceWindowExecutionTaskInvocations", "ssm:describeMaintenanceWindowExecutionTasks", "ssm:describeMaintenanceWindows", "ssm:describeMaintenanceWindowSchedule", "ssm:describeMaintenanceWindowsForTarget", "ssm:describeMaintenanceWindowTargets", "ssm:describeMaintenanceWindowTasks", "ssm:describeOpsItems", "ssm:describeParameters", "ssm:describePatchBaselines", "ssm:describePatchGroups", "ssm:describePatchGroupState", "ssm:describePatchProperties", "ssm:describeSessions", "ssm:getAutomationExecution", "ssm:getCalendarState", "ssm:getCommandInvocation", "ssm:getConnectionStatus", "ssm:getDefaultPatchBaseline", "ssm:getDeployablePatchSnapshotForInstance", "ssm:getInventorySchema", "ssm:getMaintenanceWindow", "ssm:getMaintenanceWindowExecution", "ssm:getMaintenanceWindowExecutionTask", "ssm:getMaintenanceWindowExecutionTaskInvocation", "ssm:getMaintenanceWindowTask", "ssm:getOpsItem", "ssm:getOpsMetadata", "ssm:getOpsSummary", "ssm:getPatchBaseline", "ssm:getPatchBaselineForPatchGroup", "ssm:getResourcePolicies", "ssm:getServiceSetting", "ssm:listAssociations", "ssm:listAssociationVersions", "ssm:listCommandInvocations", "ssm:listCommands", "ssm:listComplianceItems", "ssm:listComplianceSummaries", "ssm:listDocumentMetadataHistory", "ssm:listDocuments", "ssm:listDocumentVersions", "ssm:listNodes", "ssm:listNodesSummary", "ssm:listOpsItemEvents", "ssm:listOpsItemRelatedItems", "ssm:listOpsMetadata", "ssm:listResourceComplianceSummaries", "ssm:listResourceDataSync", "ssm:listTagsForResource", "sso:describeApplication", "sso:describeApplicationAssignment", "sso:describeApplicationProvider", "sso:describeAccountAssignmentCreationStatus", "sso:describeAccountAssignmentDeletionStatus", "sso:describeInstance", "sso:describeInstanceAccessControlAttributeConfiguration", "sso:describePermissionSet", "sso:describePermissionSetProvisioningStatus", "sso:describeTrustedTokenIssuer", "sso:getApplicationAccessScope", "sso:getApplicationAssignmentConfiguration", "sso:getApplicationAuthenticationMethod", "sso:getApplicationGrant", "sso:getApplicationInstance", "sso:getApplicationTemplate", "sso:getInlinePolicyForPermissionSet", "sso:getManagedApplicationInstance", "sso:getPermissionsBoundaryForPermissionSet", "sso:getSharedSsoConfiguration", "sso:listApplicationAccessScopes", "sso:listApplicationAssignments", "sso:listApplicationAuthenticationMethods", "sso:listApplicationGrants", "sso:listApplicationInstances", "sso:listApplicationProviders", "sso:listApplications", "sso:listApplicationTemplates", "sso:listAccountAssignmentCreationStatus", "sso:listAccountAssignmentDeletionStatus", "sso:listAccountAssignments", "sso:listAccountAssignmentsForPrincipal", "sso:listAccountsForProvisionedPermissionSet", "sso:listApplicationAssignmentsForPrincipal", "sso:listCustomerManagedPolicyReferencesInPermissionSet", "sso:listDirectoryAssociations", "sso:listInstances", "sso:listManagedPoliciesInPermissionSet", "sso:listPermissionSetProvisioningStatus", "sso:listPermissionSets", "sso:listPermissionSetsProvisionedToAccount", "sso:listProfileAssociations", "sso:listTrustedTokenIssuers", "states:describeActivity", "states:describeExecution", "states:describeMapRun", "states:describeStateMachine", "states:describeStateMachineAlias", "states:describeStateMachineForExecution", "states:getExecutionHistory", "states:listActivities", "states:listExecutions", "states:listMapRuns", "states:listStateMachineAliases", "states:listStateMachines", "states:listStateMachineVersions", "storagegateway:describeBandwidthRateLimit", "storagegateway:describeCache", "storagegateway:describeCachediSCSIVolumes", "storagegateway:describeFileSystemAssociations", "storagegateway:describeGatewayInformation", "storagegateway:describeMaintenanceStartTime", "storagegateway:describeNFSFileShares", "storagegateway:describeSMBFileShares", "storagegateway:describeSMBSettings", "storagegateway:describeSnapshotSchedule", "storagegateway:describeStorediSCSIVolumes", "storagegateway:describeTapeArchives", "storagegateway:describeTapeRecoveryPoints", "storagegateway:describeTapes", "storagegateway:describeUploadBuffer", "storagegateway:describeVTLDevices", "storagegateway:describeWorkingStorage", "storagegateway:listAutomaticTapeCreationPolicies", "storagegateway:listFileShares", "storagegateway:listFileSystemAssociations", "storagegateway:listGateways", "storagegateway:listLocalDisks", "storagegateway:listTagsForResource", "storagegateway:listTapes", "storagegateway:listVolumeInitiators", "storagegateway:listVolumeRecoveryPoints", "storagegateway:listVolumes", "sts:getCallerIdentity", "swf:countClosedWorkflowExecutions", "swf:countOpenWorkflowExecutions", "swf:countPendingActivityTasks", "swf:countPendingDecisionTasks", "swf:describeActivityType", "swf:describeDomain", "swf:describeWorkflowExecution", "swf:describeWorkflowType", "swf:getWorkflowExecutionHistory", "swf:listActivityTypes", "swf:listClosedWorkflowExecutions", "swf:listDomains", "swf:listOpenWorkflowExecutions", "swf:listWorkflowTypes", "synthetics:describeCanaries", "synthetics:describeCanariesLastRun", "synthetics:describeRuntimeVersions", "synthetics:getCanary", "synthetics:getCanaryRuns", "synthetics:getGroup", "synthetics:listAssociatedGroups", "synthetics:listGroupResources", "synthetics:listGroups", "tax:getTaxInheritance", "tax:getTaxRegistration", "thinclient:getDevice", "thinclient:getEnvironment", "thinclient:getSoftwareSet", "thinclient:listDevices", "thinclient:listEnvironments", "thinclient:listSoftwareSets", "timestream:describeAccountSettings", "timestream:describeBatchLoadTask", "timestream:describeDatabase", "timestream:describeEndpoints", "timestream:describeScheduledQuery", "timestream:describeTable", "timestream:listBatchLoadTasks", "timestream:listDatabases", "timestream:listScheduledQueries", "timestream:listTables", "tiros:createQuery", "tiros:getQueryAnswer", "tiros:getQueryExplanation", "tnb:getSolFunctionInstance", "tnb:getSolFunctionPackage", "tnb:getSolNetworkInstance", "tnb:getSolNetworkOperation", "tnb:getSolNetworkPackage", "tnb:listSolFunctionInstances", "tnb:listSolFunctionPackages", "tnb:listSolNetworkInstances", "tnb:listSolNetworkOperations", "tnb:listSolNetworkPackages", "transcribe:describeLanguageModel", "transcribe:getCallAnalyticsCategory", "transcribe:getCallAnalyticsJob", "transcribe:getMedicalTranscriptionJob", "transcribe:getMedicalVocabulary", "transcribe:getTranscriptionJob", "transcribe:getVocabulary", "transcribe:getVocabularyFilter", "transcribe:listCallAnalyticsCategories", "transcribe:listCallAnalyticsJobs", "transcribe:listLanguageModels", "transcribe:listMedicalTranscriptionJobs", "transcribe:listMedicalVocabularies", "transcribe:listTranscriptionJobs", "transcribe:listVocabularies", "transcribe:listVocabularyFilters", "transfer:describeAccess", "transfer:describeAgreement", "transfer:describeConnector", "transfer:describeExecution", "transfer:describeProfile", "transfer:describeServer", "transfer:describeUser", "transfer:describeWebApp", "transfer:describeWebAppCustomization", "transfer:describeWorkflow", "transfer:listAccesses", "transfer:listAgreements", "transfer:listConnectors", "transfer:listExecutions", "transfer:listHostKeys", "transfer:listProfiles", "transfer:listServers", "transfer:listTagsForResource", "transfer:listUsers", "transfer:listWebApps", "transfer:listWorkflows", "transfer:sendWorkflowStepState", "trustedadvisor:getOrganizationRecommendation", "trustedadvisor:getRecommendation", "trustedadvisor:listChecks", "trustedadvisor:listOrganizationRecommendationAccounts", "trustedadvisor:listOrganizationRecommendationResources", "trustedadvisor:listOrganizationRecommendations", "trustedadvisor:listRecommendationResources", "trustedadvisor:listRecommendations", "verifiedpermissions:getIdentitySource", "verifiedpermissions:getPolicy", "verifiedpermissions:getPolicyStore", "verifiedpermissions:getPolicyTemplate", "verifiedpermissions:getSchema", "verifiedpermissions:listIdentitySources", "verifiedpermissions:listPolicies", "verifiedpermissions:listPolicyStores", "verifiedpermissions:listPolicyTemplates", "vpc-lattice:getAccessLogSubscription", "vpc-lattice:getAuthPolicy", "vpc-lattice:getListener", "vpc-lattice:getResourceConfiguration", "vpc-lattice:getResourceGateway", "vpc-lattice:getResourcePolicy", "vpc-lattice:getRule", "vpc-lattice:getService", "vpc-lattice:getServiceNetwork", "vpc-lattice:getServiceNetworkResourceAssociation", "vpc-lattice:getServiceNetworkServiceAssociation", "vpc-lattice:getServiceNetworkVpcAssociation", "vpc-lattice:getTargetGroup", "vpc-lattice:listAccessLogSubscriptions", "vpc-lattice:listListeners", "vpc-lattice:listResourceConfigurations", "vpc-lattice:listResourceGateways", "vpc-lattice:listRules", "vpc-lattice:listServiceNetworks", "vpc-lattice:listServiceNetworkResourceAssociations", "vpc-lattice:listServiceNetworkServiceAssociations", "vpc-lattice:listServiceNetworkVpcAssociations", "vpc-lattice:listServices", "vpc-lattice:listTargetGroups", "vpc-lattice:listTargets", "waf-regional:getByteMatchSet", "waf-regional:getChangeTokenStatus", "waf-regional:getGeoMatchSet", "waf-regional:getIPSet", "waf-regional:getLoggingConfiguration", "waf-regional:getRateBasedRule", "waf-regional:getRegexMatchSet", "waf-regional:getRegexPatternSet", "waf-regional:getRule", "waf-regional:getRuleGroup", "waf-regional:getSqlInjectionMatchSet", "waf-regional:getWebACL", "waf-regional:getWebACLForResource", "waf-regional:listActivatedRulesInRuleGroup", "waf-regional:listByteMatchSets", "waf-regional:listGeoMatchSets", "waf-regional:listIPSets", "waf-regional:listLoggingConfigurations", "waf-regional:listRateBasedRules", "waf-regional:listRegexMatchSets", "waf-regional:listRegexPatternSets", "waf-regional:listResourcesForWebACL", "waf-regional:listRuleGroups", "waf-regional:listRules", "waf-regional:listSqlInjectionMatchSets", "waf-regional:listWebACLs", "waf:getByteMatchSet", "waf:getChangeTokenStatus", "waf:getGeoMatchSet", "waf:getIPSet", "waf:getLoggingConfiguration", "waf:getRateBasedRule", "waf:getRegexMatchSet", "waf:getRegexPatternSet", "waf:getRule", "waf:getRuleGroup", "waf:getSampledRequests", "waf:getSizeConstraintSet", "waf:getSqlInjectionMatchSet", "waf:getWebACL", "waf:getXssMatchSet", "waf:listActivatedRulesInRuleGroup", "waf:listByteMatchSets", "waf:listGeoMatchSets", "waf:listIPSets", "waf:listLoggingConfigurations", "waf:listRateBasedRules", "waf:listRegexMatchSets", "waf:listRegexPatternSets", "waf:listRuleGroups", "waf:listRules", "waf:listSizeConstraintSets", "waf:listSqlInjectionMatchSets", "waf:listWebACLs", "waf:listXssMatchSets", "wafv2:checkCapacity", "wafv2:describeManagedRuleGroup", "wafv2:getIPSet", "wafv2:getLoggingConfiguration", "wafv2:getPermissionPolicy", "wafv2:getRateBasedStatementManagedKeys", "wafv2:getRegexPatternSet", "wafv2:getRuleGroup", "wafv2:getSampledRequests", "wafv2:getWebACL", "wafv2:getWebACLForResource", "wafv2:listAvailableManagedRuleGroups", "wafv2:listIPSets", "wafv2:listLoggingConfigurations", "wafv2:listRegexPatternSets", "wafv2:listResourcesForWebACL", "wafv2:listRuleGroups", "wafv2:listTagsForResource", "wafv2:listWebACLs", "workdocs:checkAlias", "workdocs:describeAvailableDirectories", "workdocs:describeInstances", "workmail:describeGroup", "workmail:describeOrganization", "workmail:describeResource", "workmail:describeUser", "workmail:listAliases", "workmail:listGroupMembers", "workmail:listGroups", "workmail:listMailboxPermissions", "workmail:listOrganizations", "workmail:listResourceDelegates", "workmail:listResources", "workmail:listUsers", "workspaces-web:getBrowserSettings", "workspaces-web:getIdentityProvider", "workspaces-web:getNetworkSettings", "workspaces-web:getPortal", "workspaces-web:getPortalServiceProviderMetadata", "workspaces-web:getTrustStoreCertificate", "workspaces-web:getUserSettings", "workspaces-web:listBrowserSettings", "workspaces-web:listIdentityProviders", "workspaces-web:listNetworkSettings", "workspaces-web:listPortals", "workspaces-web:listTagsForResource", "workspaces-web:listTrustStoreCertificates", "workspaces-web:listTrustStores", "workspaces-web:listUserSettings", "workspaces:describeAccount", "workspaces:describeAccountModifications", "workspaces:describeApplicationAssociations", "workspaces:describeIpGroups", "workspaces:describeTags", "workspaces:describeWorkspaceAssociations", "workspaces:describeWorkspaceBundles", "workspaces:describeWorkspaceDirectories", "workspaces:describeWorkspaceImages", "workspaces:describeWorkspaces", "workspaces:describeWorkspaceSnapshots", "workspaces:describeWorkspacesConnectionStatus", "workspaces:describeWorkspacesPools", "workspaces:describeWorkspacesPoolSessions", "xray:getEncryptionConfig", "xray:getGroup", "xray:getGroups", "xray:getInsightImpactGraph", "xray:getSamplingRules", "xray:getSamplingStatisticSummaries", "xray:getSamplingTargets", "xray:getServiceGraph", "xray:getTimeSeriesServiceStatistics", "xray:getTraceGraph", "xray:listResourcePolicies" ], "Effect": "Allow", "Resource": [ "*" ] } ], "Version": "2012-10-17" }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "AWSSupportServiceRolePolicy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege**: avoid attaching AWS-managed policies that grant `*:*`.\n- Use **customer-managed, scoped policies** per role\n- Enforce **separation of duties** and **permissions boundaries**\n- Prefer **temporary, time-bound elevation** for emergencies with MFA\n- Regularly review access and use conditions to constrain context", "references": [ "https://hub.prowler.com/check/iam_aws_attached_policy_no_administrative_privileges" ] }, "risk_details": "**Unrestricted `*:*` access** enables any action on any resource, risking:\n- Data exfiltration (**confidentiality**)\n- Unauthorized changes and policy tampering (**integrity**)\n- Service deletion or shutdown (**availability**)\nAttackers can disable logging, create backdoor principals, and expand lateral movement.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS policy AWSResourceExplorerServiceRolePolicy is attached but does not allow '*:*' administrative privileges.", "metadata": { "event_code": "iam_aws_attached_policy_no_administrative_privileges", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "AWS policy AWSResourceExplorerServiceRolePolicy is attached but does not allow '*:*' administrative privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", "https://support.icompaas.com/support/solutions/articles/62000233815-ensure-iam-roles-do-not-have-administratoraccess-policy-attached", "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" ], "notes": "CAF Security Epic: IAM", "compliance": { "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_3_i", "164_308_a_3_ii_b", "164_308_a_4_i", "164_308_a_4_ii_b", "164_308_a_4_ii_c", "164_312_a_1" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-3" ], "CIS-6.0": [ "2.15" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_6", "ac_2_i_2", "ac_3", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_7", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_5_b", "ac_6", "ac_6_2", "ac_6_3", "ac_6_10", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "mp_2", "sc_23_3", "sc_25" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN01.AR01", "CCC.IAM.CN01.AR02", "CCC.IAM.CN02.AR01", "CCC.IAM.CN02.AR02", "CCC.IAM.CN04.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_1" ], "CIS-2.0": [ "1.16" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-16" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-3" ], "FFIEC": [ "d3-pc-am-b-1", "d3-pc-am-b-16", "d3-pc-am-b-2", "d3-pc-am-b-3", "d3-pc-am-b-6", "d3-pc-im-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.3.1" ], "CIS-4.0.1": [ "1.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP02" ], "CIS-3.0": [ "1.16" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_1_3", "cc_6_3" ], "C5-2025": [ "OIS-04.03B", "OIS-04.01AC", "SP-01.04B", "HR-01.01B", "IAM-01.01B", "IAM-01.04B" ], "ISO27001-2022": [ "A.5.18", "A.8.2" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.1" ], "SecNumCloud-3.2": [ "9.1" ], "CIS-1.4": [ "1.16" ], "NIST-800-53-Revision-4": [ "ac_2", "ac_3", "ac_5", "ac_6", "sc_2" ], "NIST-CSF-1.1": [ "ac_1", "ac_4", "pt_3" ], "CIS-5.0": [ "1.15" ], "CIS-1.5": [ "1.16" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1", "ac_1" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-3", "ac-5-c", "ac-6-10", "ac-6", "sc-2" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_1_4", "3_1_5", "3_1_6", "3_1_7", "3_4_6", "3_13_3" ], "ENS-RD2022": [ "op.acc.4.aws.iam.1", "op.acc.4.aws.iam.2", "op.acc.4.aws.iam.9", "op.exp.8.r4.aws.ct.8" ], "MITRE-ATTACK": [ "T1078", "T1648", "T1098", "T1578", "T1550", "T1040", "T1580", "T1538", "T1619", "T1201" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM AWS-managed policies** attached to identities are inspected for statements that allow `Action:'*'` on `Resource:'*'`-i.e., full administrative `*:*` permissions", "title": "Attached AWS-managed IAM policy does not allow '*:*' administrative privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_aws_attached_policy_no_administrative_privileges-211203495394-us-east-1-AWSResourceExplorerServiceRolePolicy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "AWSResourceExplorerServiceRolePolicy", "arn": "arn:aws:iam::aws:policy/aws-service-role/AWSResourceExplorerServiceRolePolicy", "entity": "ANPAZKAPJZG4K2H54PAUL", "version_id": "v50", "type": "AWS", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Sid": "ResourceExplorerAccess", "Effect": "Allow", "Action": [ "resource-explorer-2:UpdateIndexType", "resource-explorer-2:CreateIndex", "resource-explorer-2:CreateView", "resource-explorer-2:AssociateDefaultView", "resource-explorer-2:DeleteIndex" ], "Resource": "*" }, { "Sid": "OrganizationsAccess", "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListAccounts", "organizations:ListDelegatedAdministrators", "organizations:ListOrganizationalUnitsForParent", "organizations:ListRoots" ], "Resource": "*" }, { "Sid": "CloudTrailEventsAccess", "Effect": "Allow", "Action": [ "cloudtrail:CreateServiceLinkedChannel", "cloudtrail:GetServiceLinkedChannel" ], "Resource": "arn:aws:cloudtrail:*:*:channel/aws-service-channel/resource-explorer-2/*" }, { "Sid": "ApiGatewayAccess", "Effect": "Allow", "Action": "apigateway:GET", "Resource": [ "arn:aws:apigateway:*::/restapis", "arn:aws:apigateway:*::/restapis/*", "arn:aws:apigateway:*::/restapis/*/deployments", "arn:aws:apigateway:*::/restapis/*/deployments/*", "arn:aws:apigateway:*::/restapis/*/resources", "arn:aws:apigateway:*::/restapis/*/resources/*", "arn:aws:apigateway:*::/restapis/*/resources/*/methods/*", "arn:aws:apigateway:*::/restapis/*/stages", "arn:aws:apigateway:*::/restapis/*/stages/*", "arn:aws:apigateway:*::/vpclinks", "arn:aws:apigateway:*::/apis", "arn:aws:apigateway:*::/apis/*/routes", "arn:aws:apigateway:*::/apis/*/stages", "arn:aws:apigateway:*::/apis/*", "arn:aws:apigateway:*::/apis/*/routes/*", "arn:aws:apigateway:*::/apis/*/stages/*", "arn:aws:apigateway:*::/apis/*/integrations", "arn:aws:apigateway:*::/apis/*/integrations/*" ] }, { "Sid": "ResourceInventoryAccess", "Effect": "Allow", "Action": [ "access-analyzer:ListAnalyzers", "acm-pca:ListCertificateAuthorities", "acm:ListCertificates", "airflow:ListEnvironments", "amplify:ListApps", "amplify:ListBranches", "amplify:ListDomainAssociations", "aoss:ListCollections", "app-integrations:ListApplications", "app-integrations:ListEventIntegrations", "appconfig:ListApplications", "appconfig:ListDeploymentStrategies", "appconfig:ListEnvironments", "appconfig:ListExtensionAssociations", "appflow:ListFlows", "appmesh:ListGatewayRoutes", "appmesh:ListMeshes", "appmesh:ListRoutes", "appmesh:ListVirtualGateways", "appmesh:ListVirtualNodes", "appmesh:ListVirtualRouters", "appmesh:ListVirtualServices", "apprunner:ListAutoScalingConfigurations", "apprunner:ListConnections", "apprunner:ListServices", "apprunner:ListVpcConnectors", "appstream:DescribeAppBlocks", "appstream:DescribeApplications", "appstream:DescribeFleets", "appstream:DescribeImageBuilders", "appstream:DescribeStacks", "appsync:ListGraphqlApis", "aps:ListRuleGroupsNamespaces", "aps:ListWorkspaces", "athena:ListDataCatalogs", "athena:ListWorkGroups", "auditmanager:GetAccountStatus", "auditmanager:ListAssessments", "autoscaling:DescribeAutoScalingGroups", "backup-gateway:ListHypervisors", "backup:ListBackupPlans", "backup:ListBackupVaults", "backup:ListRecoveryPointsByBackupVault", "backup:ListReportPlans", "batch:DescribeComputeEnvironments", "batch:DescribeJobDefinitions", "batch:DescribeJobQueues", "batch:ListSchedulingPolicies", "bedrock-agentcore:ListAgentRuntimes", "bedrock:ListAgentAliases", "bedrock:ListAgents", "bedrock:ListDataAutomationProjects", "bedrock:ListFlowAliases", "bedrock:ListFlows", "bedrock:ListGuardrails", "bedrock:ListInferenceProfiles", "bedrock:ListKnowledgeBases", "bedrock:ListPromptRouters", "bedrock:ListPrompts", "budgets:DescribeBudgetActionsForAccount", "budgets:ViewBudget", "ce:GetAnomalyMonitors", "ce:GetAnomalySubscriptions", "chime:ListAppInstanceBots", "chime:ListAppInstanceUsers", "chime:ListAppInstances", "chime:ListMediaInsightsPipelineConfigurations", "chime:ListMediaPipelineKinesisVideoStreamPools", "chime:ListMediaPipelines", "chime:ListSipMediaApplications", "chime:ListVoiceConnectors", "cleanrooms:ListCollaborations", "cloud9:ListEnvironments", "cloudformation:ListResources", "cloudformation:ListStackSets", "cloudformation:ListStacks", "cloudfront:ListCachePolicies", "cloudfront:ListCloudFrontOriginAccessIdentities", "cloudfront:ListContinuousDeploymentPolicies", "cloudfront:ListDistributions", "cloudfront:ListFieldLevelEncryptionConfigs", "cloudfront:ListFieldLevelEncryptionProfiles", "cloudfront:ListFunctions", "cloudfront:ListOriginAccessControls", "cloudfront:ListOriginRequestPolicies", "cloudfront:ListRealtimeLogConfigs", "cloudfront:ListResponseHeadersPolicies", "cloudfront:ListTagsForResource", "cloudtrail:ListChannels", "cloudtrail:ListDashboards", "cloudtrail:ListEventDataStores", "cloudtrail:ListTrails", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeInsightRules", "cloudwatch:ListDashboards", "cloudwatch:ListMetricStreams", "codeartifact:ListDomains", "codeartifact:ListRepositories", "codebuild:ListProjects", "codecommit:ListRepositories", "codeconnections:ListConnections", "codeconnections:ListHosts", "codedeploy:ListApplications", "codedeploy:ListDeploymentConfigs", "codeguru-profiler:ListProfilingGroups", "codeguru-reviewer:ListRepositoryAssociations", "codepipeline:ListPipelines", "codepipeline:ListWebhooks", "codestar-connections:ListConnections", "codestar-connections:ListHosts", "cognito-identity:ListIdentityPools", "cognito-idp:ListUserPools", "comprehend:ListDocumentClassifiers", "comprehend:ListEntityRecognizers", "comprehend:ListFlywheels", "config:DescribeConfigRules", "connect:ListEvaluationForms", "connect:ListHoursOfOperations", "connect:ListInstanceAttributes", "connect:ListInstances", "connect:ListPhoneNumbersV2", "connect:ListPrompts", "connect:ListQueueQuickConnects", "connect:ListQueues", "connect:ListQuickConnects", "connect:ListRoutingProfileManualAssignmentQueues", "connect:ListRoutingProfileQueues", "connect:ListRoutingProfiles", "connect:ListRules", "connect:ListSecurityProfiles", "connect:ListTaskTemplates", "connect:ListUsers", "databrew:ListDatasets", "databrew:ListJobs", "databrew:ListProjects", "databrew:ListRecipes", "databrew:ListRulesets", "databrew:ListSchedules", "dataexchange:ListDataSetRevisions", "dataexchange:ListDataSets", "datapipeline:ListPipelines", "datasync:ListLocations", "datasync:ListTasks", "dax:DescribeClusters", "detective:ListGraphs", "devicefarm:ListInstanceProfiles", "devicefarm:ListProjects", "devicefarm:ListTestGridProjects", "directconnect:DescribeDirectConnectGateways", "dlm:GetLifecyclePolicies", "dms:DescribeCertificates", "dms:DescribeEndpoints", "dms:DescribeEventSubscriptions", "dms:DescribeReplicationInstances", "dms:DescribeReplicationSubnetGroups", "dms:DescribeReplicationTasks", "ds:DescribeDirectories", "dynamodb:ListTables", "ec2:DescribeAddresses", "ec2:DescribeCapacityReservationFleets", "ec2:DescribeCapacityReservations", "ec2:DescribeCarrierGateways", "ec2:DescribeClientVpnEndpoints", "ec2:DescribeCustomerGateways", "ec2:DescribeDhcpOptions", "ec2:DescribeEgressOnlyInternetGateways", "ec2:DescribeFleets", "ec2:DescribeFlowLogs", "ec2:DescribeFpgaImages", "ec2:DescribeHostReservations", "ec2:DescribeHosts", "ec2:DescribeImages", "ec2:DescribeInstanceConnectEndpoints", "ec2:DescribeInstanceEventWindows", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeIpamPools", "ec2:DescribeIpamResourceDiscoveries", "ec2:DescribeIpamResourceDiscoveryAssociations", "ec2:DescribeIpamScopes", "ec2:DescribeIpams", "ec2:DescribeKeyPairs", "ec2:DescribeLaunchTemplates", "ec2:DescribeManagedPrefixLists", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInsightsAccessScopeAnalyses", "ec2:DescribeNetworkInsightsAccessScopes", "ec2:DescribeNetworkInsightsAnalyses", "ec2:DescribeNetworkInsightsPaths", "ec2:DescribeNetworkInterfaces", "ec2:DescribePlacementGroups", "ec2:DescribePublicIpv4Pools", "ec2:DescribeReservedInstances", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeTrafficMirrorFilters", "ec2:DescribeTrafficMirrorSessions", "ec2:DescribeTrafficMirrorTargets", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeTransitGatewayConnectPeers", "ec2:DescribeTransitGatewayMulticastDomains", "ec2:DescribeTransitGatewayPolicyTables", "ec2:DescribeTransitGatewayRouteTableAnnouncements", "ec2:DescribeTransitGatewayRouteTables", "ec2:DescribeTransitGateways", "ec2:DescribeVerifiedAccessEndpoints", "ec2:DescribeVerifiedAccessGroups", "ec2:DescribeVerifiedAccessInstances", "ec2:DescribeVerifiedAccessTrustProviders", "ec2:DescribeVolumes", "ec2:DescribeVpcBlockPublicAccessExclusions", "ec2:DescribeVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:GetSubnetCidrReservations", "ecr-public:DescribeRepositories", "ecr:DescribeRepositories", "ecs:DescribeCapacityProviders", "ecs:DescribeServices", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListServices", "ecs:ListTaskDefinitions", "eks:DescribeAccessEntry", "eks:DescribeAddon", "eks:DescribeFargateProfile", "eks:DescribeIdentityProviderConfig", "eks:DescribeNodegroup", "eks:ListAccessEntries", "eks:ListAddons", "eks:ListClusters", "eks:ListEksAnywhereSubscriptions", "eks:ListFargateProfiles", "eks:ListIdentityProviderConfigs", "eks:ListNodegroups", "eks:ListPodIdentityAssociations", "elasticache:DescribeCacheClusters", "elasticache:DescribeCacheParameterGroups", "elasticache:DescribeCacheSubnetGroups", "elasticache:DescribeGlobalReplicationGroups", "elasticache:DescribeReplicationGroups", "elasticache:DescribeReservedCacheNodes", "elasticache:DescribeSnapshots", "elasticache:DescribeUserGroups", "elasticache:DescribeUsers", "elasticbeanstalk:DescribeApplicationVersions", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:DescribeEnvironments", "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeFileSystems", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTargetGroups", "elasticmapreduce:ListClusters", "emr-containers:ListJobTemplates", "emr-containers:ListManagedEndpoints", "emr-containers:ListSecurityConfigurations", "emr-containers:ListVirtualClusters", "emr-serverless:ListApplications", "es:ListDomainNames", "events:ListApiDestinations", "events:ListArchives", "events:ListConnections", "events:ListEndpoints", "events:ListEventBuses", "events:ListRules", "evidently:ListExperiments", "evidently:ListFeatures", "evidently:ListLaunches", "evidently:ListProjects", "finspace:ListEnvironments", "firehose:ListDeliveryStreams", "fis:ListExperimentTemplates", "fis:ListExperiments", "fms:ListPolicies", "fms:ListProtocolsLists", "forecast:ListDatasetGroups", "forecast:ListDatasetImportJobs", "forecast:ListDatasets", "forecast:ListForecastExportJobs", "forecast:ListForecasts", "forecast:ListPredictorBacktestExportJobs", "forecast:ListPredictors", "frauddetector:GetDetectors", "frauddetector:GetEntityTypes", "frauddetector:GetEventTypes", "frauddetector:GetExternalModels", "frauddetector:GetLabels", "frauddetector:GetModels", "frauddetector:GetOutcomes", "frauddetector:GetVariables", "fsx:DescribeBackups", "fsx:DescribeFileSystems", "gamelift:DescribeGameSessionQueues", "gamelift:DescribeMatchmakingConfigurations", "gamelift:DescribeMatchmakingRuleSets", "gamelift:ListAliases", "gamelift:ListBuilds", "gamelift:ListLocations", "gamelift:ListScripts", "geo:ListMaps", "geo:ListPlaceIndexes", "geo:ListTrackers", "glacier:ListVaults", "globalaccelerator:ListAccelerators", "globalaccelerator:ListEndpointGroups", "globalaccelerator:ListListeners", "glue:GetCrawlers", "glue:GetDatabases", "glue:GetJobs", "glue:GetTables", "glue:GetTriggers", "glue:ListDataQualityRulesets", "glue:ListMLTransforms", "glue:ListRegistries", "grafana:ListWorkspaces", "greengrass:ListComponentVersions", "greengrass:ListComponents", "greengrass:ListConnectorDefinitions", "greengrass:ListCoreDefinitions", "greengrass:ListDeviceDefinitions", "greengrass:ListFunctionDefinitions", "greengrass:ListGroups", "greengrass:ListLoggerDefinitions", "greengrass:ListResourceDefinitions", "greengrass:ListSubscriptionDefinitions", "groundstation:ListConfigs", "groundstation:ListDataflowEndpointGroups", "groundstation:ListMissionProfiles", "guardduty:ListDetectors", "guardduty:ListFilters", "guardduty:ListIPSets", "guardduty:ListMalwareProtectionPlans", "guardduty:ListPublishingDestinations", "guardduty:ListThreatIntelSets", "healthlake:ListFHIRDatastores", "iam:ListGroups", "iam:ListInstanceProfiles", "iam:ListOpenIDConnectProviders", "iam:ListPolicies", "iam:ListRoles", "iam:ListSAMLProviders", "iam:ListServerCertificates", "iam:ListUsers", "iam:ListVirtualMFADevices", "imagebuilder:ListComponentBuildVersions", "imagebuilder:ListComponents", "imagebuilder:ListContainerRecipes", "imagebuilder:ListDistributionConfigurations", "imagebuilder:ListImageBuildVersions", "imagebuilder:ListImagePipelines", "imagebuilder:ListImageRecipes", "imagebuilder:ListImages", "imagebuilder:ListInfrastructureConfigurations", "inspector2:ListFilters", "inspector:ListAssessmentTemplates", "iot:ListAuthorizers", "iot:ListBillingGroups", "iot:ListCACertificates", "iot:ListCertificates", "iot:ListFleetMetrics", "iot:ListJobTemplates", "iot:ListJobs", "iot:ListMitigationActions", "iot:ListPolicies", "iot:ListProvisioningTemplates", "iot:ListRoleAliases", "iot:ListScheduledAudits", "iot:ListSecurityProfiles", "iot:ListThingGroups", "iot:ListThingTypes", "iot:ListThings", "iot:ListTopicRuleDestinations", "iot:ListTopicRules", "iotanalytics:ListChannels", "iotanalytics:ListDatasets", "iotanalytics:ListDatastores", "iotanalytics:ListPipelines", "iotdeviceadvisor:ListSuiteDefinitions", "iotevents:ListAlarmModels", "iotevents:ListDetectorModels", "iotevents:ListInputs", "iotfleethub:ListApplications", "iotfleetwise:ListDecoderManifests", "iotfleetwise:ListModelManifests", "iotfleetwise:ListSignalCatalogs", "iotfleetwise:ListVehicles", "iotsitewise:ListAccessPolicies", "iotsitewise:ListAssetModels", "iotsitewise:ListAssets", "iotsitewise:ListDashboards", "iotsitewise:ListGateways", "iotsitewise:ListPortals", "iotsitewise:ListProjects", "iottwinmaker:ListComponentTypes", "iottwinmaker:ListEntities", "iottwinmaker:ListSyncJobs", "iottwinmaker:ListWorkspaces", "iotwireless:ListDestinations", "iotwireless:ListDeviceProfiles", "iotwireless:ListFuotaTasks", "iotwireless:ListMulticastGroups", "iotwireless:ListPartnerAccounts", "iotwireless:ListServiceProfiles", "iotwireless:ListWirelessDevices", "iotwireless:ListWirelessGatewayTaskDefinitions", "iotwireless:ListWirelessGateways", "ivs:ListChannels", "ivs:ListEncoderConfigurations", "ivs:ListIngestConfigurations", "ivs:ListPlaybackKeyPairs", "ivs:ListPlaybackRestrictionPolicies", "ivs:ListRecordingConfigurations", "ivs:ListStorageConfigurations", "ivs:ListStreamKeys", "ivschat:ListLoggingConfigurations", "ivschat:ListRooms", "ivschat:ListTagsForResource", "kafka:ListClusters", "kafka:ListConfigurations", "kendra-ranking:ListRescoreExecutionPlans", "kendra:ListAccessControlConfigurations", "kendra:ListDataSources", "kendra:ListExperiences", "kendra:ListFaqs", "kendra:ListFeaturedResultsSets", "kendra:ListIndices", "kendra:ListQuerySuggestionsBlockLists", "kendra:ListThesauri", "kinesis:ListStreams", "kinesisanalytics:ListApplications", "kinesisvideo:ListSignalingChannels", "kinesisvideo:ListStreams", "kms:ListKeys", "lambda:ListCodeSigningConfigs", "lambda:ListEventSourceMappings", "lambda:ListFunctions", "lambda:ListLayerVersions", "lambda:ListLayers", "lambda:ListVersionsByFunction", "lex:ListBotAliases", "lex:ListBots", "license-manager:ListDistributedGrants", "lightsail:GetBuckets", "lightsail:GetCertificates", "lightsail:GetContainerServices", "lightsail:GetDisks", "logs:DescribeDestinations", "logs:DescribeLogGroups", "logs:ListTagsForResource", "lookoutmetrics:ListAlerts", "lookoutmetrics:ListAnomalyDetectors", "lookoutvision:ListProjects", "m2:ListEnvironments", "macie2:ListAllowLists", "macie2:ListCustomDataIdentifiers", "macie2:ListFindingsFilters", "macie2:ListMembers", "managedblockchain:ListAccessors", "mediaconnect:ListFlows", "mediaconnect:ListGateways", "mediapackage-vod:ListAssets", "mediapackage-vod:ListPackagingConfigurations", "mediapackage-vod:ListPackagingGroups", "mediapackage:ListChannels", "mediapackage:ListOriginEndpoints", "mediastore:ListContainers", "mediatailor:ListChannels", "mediatailor:ListLiveSources", "mediatailor:ListPlaybackConfigurations", "mediatailor:ListSourceLocations", "mediatailor:ListVodSources", "memorydb:DescribeACLs", "memorydb:DescribeClusters", "memorydb:DescribeParameterGroups", "memorydb:DescribeSnapshots", "memorydb:DescribeSubnetGroups", "memorydb:DescribeUsers", "mobiletargeting:GetApps", "mobiletargeting:GetCampaigns", "mobiletargeting:GetSegments", "mobiletargeting:ListTemplates", "mq:ListBrokers", "mq:ListConfigurations", "network-firewall:ListFirewallPolicies", "network-firewall:ListFirewalls", "network-firewall:ListRuleGroups", "networkmanager:DescribeGlobalNetworks", "networkmanager:GetDevices", "networkmanager:GetLinks", "networkmanager:ListAttachments", "networkmanager:ListCoreNetworks", "oam:ListSinks", "omics:ListReferenceStores", "omics:ListRunGroups", "omics:ListWorkflows", "outposts:ListSites", "organizations:DescribeResourcePolicy", "organizations:ListPolicies", "panorama:ListDevices", "panorama:ListPackages", "partnercentral:ListEngagementInvitations", "partnercentral:ListEngagements", "partnercentral:ListOpportunities", "partnercentral:ListResourceSnapshotJobs", "partnercentral:ListResourceSnapshots", "personalize:ListDatasetGroups", "personalize:ListDatasets", "personalize:ListSchemas", "personalize:ListSolutions", "pipes:ListPipes", "profile:ListDomains", "profile:ListIntegrations", "profile:ListProfileObjectTypes", "proton:ListEnvironmentAccountConnections", "proton:ListEnvironmentTemplates", "proton:ListServiceTemplates", "qldb:ListJournalKinesisStreamsForLedger", "qldb:ListLedgers", "quicksight:DescribeAccountSubscription", "quicksight:ListDataSets", "quicksight:ListDataSources", "quicksight:ListTemplates", "quicksight:ListThemes", "ram:GetResourceShares", "ram:ListPermissions", "rds:DescribeBlueGreenDeployments", "rds:DescribeDBClusterEndpoints", "rds:DescribeDBClusterParameterGroups", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstanceAutomatedBackups", "rds:DescribeDBInstances", "rds:DescribeDBParameterGroups", "rds:DescribeDBProxies", "rds:DescribeDBProxyEndpoints", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEventSubscriptions", "rds:DescribeGlobalClusters", "rds:DescribeOptionGroups", "rds:DescribeReservedDBInstances", "redshift:DescribeClusterParameterGroups", "redshift:DescribeClusterSnapshots", "redshift:DescribeClusterSubnetGroups", "redshift:DescribeClusters", "redshift:DescribeEventSubscriptions", "redshift:DescribeHsmClientCertificates", "redshift:DescribeSnapshotCopyGrants", "redshift:DescribeSnapshotSchedules", "redshift:DescribeUsageLimits", "refactor-spaces:ListApplications", "refactor-spaces:ListEnvironments", "refactor-spaces:ListRoutes", "refactor-spaces:ListServices", "rekognition:DescribeProjects", "resiliencehub:ListApps", "resiliencehub:ListResiliencyPolicies", "resource-explorer-2:GetIndex", "resource-explorer-2:ListIndexes", "resource-explorer-2:ListViews", "resource-groups:ListGroups", "route53-recovery-control-config:ListClusters", "route53-recovery-control-config:ListControlPanels", "route53-recovery-control-config:ListRoutingControls", "route53-recovery-control-config:ListSafetyRules", "route53-recovery-readiness:ListCells", "route53-recovery-readiness:ListReadinessChecks", "route53-recovery-readiness:ListRecoveryGroups", "route53-recovery-readiness:ListResourceSets", "route53:ListHealthChecks", "route53:ListHostedZones", "route53domains:ListDomains", "route53resolver:ListFirewallDomainLists", "route53resolver:ListFirewallRuleGroupAssociations", "route53resolver:ListFirewallRuleGroups", "route53resolver:ListResolverEndpoints", "route53resolver:ListResolverQueryLogConfigs", "route53resolver:ListResolverRules", "rum:ListAppMonitors", "s3:GetBucketLocation", "s3:ListAccessPoints", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListMultiRegionAccessPoints", "s3:ListStorageLensConfigurations", "s3:ListStorageLensGroups", "s3express:ListAllMyDirectoryBuckets", "sagemaker:DescribeInferenceComponent", "sagemaker:ListActions", "sagemaker:ListAlgorithms", "sagemaker:ListAppImageConfigs", "sagemaker:ListApps", "sagemaker:ListArtifacts", "sagemaker:ListClusters", "sagemaker:ListCodeRepositories", "sagemaker:ListContexts", "sagemaker:ListDomains", "sagemaker:ListEndpointConfigs", "sagemaker:ListEndpoints", "sagemaker:ListExperiments", "sagemaker:ListFeatureGroups", "sagemaker:ListFlowDefinitions", "sagemaker:ListHubContents", "sagemaker:ListHubs", "sagemaker:ListHumanLoops", "sagemaker:ListHumanTaskUis", "sagemaker:ListImageVersions", "sagemaker:ListImages", "sagemaker:ListInferenceComponents", "sagemaker:ListInferenceExperiments", "sagemaker:ListMlflowTrackingServers", "sagemaker:ListModelCardVersions", "sagemaker:ListModelCards", "sagemaker:ListModelPackageGroups", "sagemaker:ListModelPackages", "sagemaker:ListModels", "sagemaker:ListMonitoringSchedules", "sagemaker:ListNotebookInstanceLifecycleConfigs", "sagemaker:ListNotebookInstances", "sagemaker:ListPartnerApps", "sagemaker:ListPipelines", "sagemaker:ListProjects", "sagemaker:ListSpaces", "sagemaker:ListStudioLifecycleConfigs", "sagemaker:ListTrialComponents", "sagemaker:ListTrials", "sagemaker:ListUserProfiles", "sagemaker:ListWorkforces", "sagemaker:ListWorkteams", "scheduler:ListScheduleGroups", "schemas:ListDiscoverers", "secretsmanager:ListSecrets", "servicecatalog:ListApplications", "servicecatalog:ListAttributeGroups", "servicediscovery:ListServices", "ses:ListConfigurationSets", "ses:ListContactLists", "ses:ListDedicatedIpPools", "ses:ListEmailIdentities", "shield:ListProtectionGroups", "shield:ListProtections", "signer:ListSigningProfiles", "sns:ListTopics", "sqs:ListQueues", "ssm-incidents:ListResponsePlans", "ssm:DescribeInstanceInformation", "ssm:DescribeMaintenanceWindowTargets", "ssm:DescribeMaintenanceWindowTasks", "ssm:DescribeMaintenanceWindows", "ssm:DescribeParameters", "ssm:DescribeSessions", "ssm:ListAssociations", "ssm:ListDocuments", "ssm:ListResourceDataSync", "states:ListActivities", "states:ListStateMachines", "storagegateway:ListFileShares", "storagegateway:ListGateways", "synthetics:DescribeCanaries", "synthetics:ListGroups", "transfer:ListAgreements", "transfer:ListCertificates", "transfer:ListConnectors", "transfer:ListProfiles", "transfer:ListServers", "transfer:ListUsers", "transfer:ListWorkflows", "verifiedpermissions:ListPolicyStores", "vpc-lattice:ListListeners", "vpc-lattice:ListRules", "vpc-lattice:ListServiceNetworkServiceAssociations", "vpc-lattice:ListServiceNetworks", "vpc-lattice:ListServices", "vpc-lattice:ListTargetGroups", "wafv2:ListIPSets", "wafv2:ListRegexPatternSets", "wafv2:ListRuleGroups", "wafv2:ListWebACLs", "wellarchitected:ListWorkloads", "wisdom:ListAssistantAssociations", "wisdom:ListAssistants", "wisdom:ListContents", "wisdom:ListKnowledgeBases", "workspaces-web:ListPortals", "workspaces:DescribeConnectionAliases", "workspaces:DescribeWorkspaces", "xray:GetSamplingRules" ], "Resource": "*" }, { "Sid": "PermissionsForReadGetResources", "Effect": "Allow", "Action": [ "backup:DescribeRecoveryPoint", "backup:ListTags", "bedrock-agentcore:GetAgentRuntime", "bedrock-agentcore:ListTagsForResource", "bedrock:GetAgent", "bedrock:GetAgentActionGroup", "bedrock:GetAgentCollaborator", "bedrock:GetAgentKnowledgeBase", "bedrock:GetFlowAlias", "bedrock:GetGuardrail", "bedrock:GetKnowledgeBase", "bedrock:ListAgentActionGroups", "bedrock:ListAgentCollaborators", "bedrock:ListAgentKnowledgeBases", "bedrock:ListTagsForResource", "budgets:DescribeBudgetAction", "budgets:DescribeBudgetActionsForBudget", "cleanrooms:GetCollaboration", "cleanrooms:ListMembers", "cleanrooms:ListTagsForResource", "cloudformation:GetResource", "cloudfront:GetDistribution", "cloudfront:GetDistributionConfig", "cloudtrail:DescribeTrails", "cloudtrail:GetEventConfiguration", "cloudtrail:GetEventSelectors", "cloudtrail:GetInsightSelectors", "cloudtrail:GetTrail", "cloudtrail:GetTrailStatus", "connect:DescribeQueue", "dataexchange:GetRevision", "dataexchange:ListTagsForResource", "dlm:GetLifecyclePolicy", "dlm:ListTagsForResource", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeContributorInsights", "dynamodb:DescribeKinesisStreamingDestination", "dynamodb:DescribeTable", "dynamodb:DescribeTimeToLive", "dynamodb:GetResourcePolicy", "dynamodb:ListTagsOfResource", "ec2:DescribeAvailabilityZones", "ec2:DescribeVolumeAttribute", "ecs:DescribeClusters", "ecs:DescribeTaskDefinition", "ecs:ListTagsForResource", "eks:DescribeCluster", "elasticfilesystem:DescribeBackupPolicy", "elasticfilesystem:DescribeFileSystemPolicy", "elasticfilesystem:DescribeLifecycleConfiguration", "elasticfilesystem:DescribeReplicationConfigurations", "elasticloadbalancing:DescribeCapacityReservation", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetHealth", "es:DescribeDomain", "es:DescribeDomains", "es:ListDomainsForPackage", "es:ListTags", "es:ListVpcEndpointsForDomain", "events:DescribeRule", "events:ListTagsForResource", "events:ListTargetsByRule", "fis:GetExperiment", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "kendra-ranking:DescribeRescoreExecutionPlan", "kendra-ranking:ListTagsForResource", "kinesis:DescribeStreamSummary", "kinesis:ListTagsForResource", "kinesis:ListTagsForStream", "kinesisvideo:DescribeStream", "kinesisvideo:ListTagsForStream", "kms:DescribeKey", "lambda:GetEventSourceMapping", "lambda:GetFunction", "lambda:GetFunctionCodeSigningConfig", "lambda:GetFunctionRecursionConfig", "lambda:GetFunctionScalingConfig", "lambda:GetRuntimeManagementConfig", "lambda:ListTags", "logs:DescribeIndexPolicies", "logs:DescribeResourcePolicies", "logs:GetDataProtectionPolicy", "mediaconnect:DescribeFlow", "panorama:DescribeDevice", "panorama:ListTagsForResource", "ram:GetPermission", "rds:ListTagsForResource", "redshift:DescribeTags", "resource-explorer-2:GetView", "route53:GetHostedZone", "route53:ListQueryLoggingConfigs", "route53:ListTagsForResource", "s3:GetAccelerateConfiguration", "s3:GetAnalyticsConfiguration", "s3:GetBucketAbac", "s3:GetBucketCORS", "s3:GetBucketLogging", "s3:GetBucketMetadataTableConfiguration", "s3:GetBucketNotification", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketOwnershipControls", "s3:GetBucketPublicAccessBlock", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetIntelligentTieringConfiguration", "s3:GetInventoryConfiguration", "s3:GetLifecycleConfiguration", "s3:GetMetricsConfiguration", "s3:GetReplicationConfiguration", "s3:ListTagsForResource", "s3express:GetEncryptionConfiguration", "s3express:GetLifecycleConfiguration", "s3express:ListTagsForResource", "sagemaker:DescribeEndpoint", "sagemaker:ListTags", "secretsmanager:DescribeSecret", "sns:GetDataProtectionPolicy", "sns:GetTopicAttributes", "sns:ListSubscriptionsByTopic", "sns:ListTagsForResource", "sqs:GetQueueAttributes", "sqs:ListQueueTags", "xray:ListTagsForResource" ], "Resource": "*" } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "AWSResourceExplorerServiceRolePolicy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::aws:policy/aws-service-role/AWSResourceExplorerServiceRolePolicy" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege**: avoid attaching AWS-managed policies that grant `*:*`.\n- Use **customer-managed, scoped policies** per role\n- Enforce **separation of duties** and **permissions boundaries**\n- Prefer **temporary, time-bound elevation** for emergencies with MFA\n- Regularly review access and use conditions to constrain context", "references": [ "https://hub.prowler.com/check/iam_aws_attached_policy_no_administrative_privileges" ] }, "risk_details": "**Unrestricted `*:*` access** enables any action on any resource, risking:\n- Data exfiltration (**confidentiality**)\n- Unauthorized changes and policy tampering (**integrity**)\n- Service deletion or shutdown (**availability**)\nAttackers can disable logging, create backdoor principals, and expand lateral movement.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No SAML Providers found.", "metadata": { "event_code": "iam_check_saml_providers_sts", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No SAML Providers found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html" ], "notes": "", "compliance": { "CIS-6.0": [ "2.20" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR06", "CCC.IAM.CN09.AR01" ], "CIS-2.0": [ "1.21" ], "CSA-CCM-4.0": [ "IAM-13" ], "KISA-ISMS-P-2023-korean": [ "2.5.3", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.7" ], "CIS-4.0.1": [ "1.21" ], "CIS-3.0": [ "1.21" ], "KISA-ISMS-P-2023": [ "2.5.3", "2.10.2" ], "CIS-1.4": [ "1.21" ], "CIS-5.0": [ "1.20" ], "CIS-1.5": [ "1.21" ], "NIST-CSF-2.0": [ "ac_7" ], "ENS-RD2022": [ "op.acc.1.aws.iam.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM SAML providers** enable **federated role assumption** via STS `AssumeRoleWithSAML`.\n\nThis evaluates whether such providers exist in the account.", "title": "IAM SAML provider exists in the account", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-iam_check_saml_providers_sts-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "iam" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:iam::211203495394:root" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Adopt **SAML federation** to issue **short-lived STS credentials**. Map users to roles with **least privilege**, enforce **MFA** at the IdP, and set conservative session durations. Retire IAM user access keys for interactive use and monitor role sessions as **defense in depth**. *If federation isn't possible*, tightly scope, rotate, and audit keys.", "references": [ "https://hub.prowler.com/check/iam_check_saml_providers_sts" ] }, "risk_details": "Without **SAML federation**, users rely on **long-lived IAM keys**. Compromised keys enable persistent API access, causing **data exfiltration (C)**, unauthorized resource or policy changes (**I**), and difficult revocation. Lack of IdP controls (e.g., **MFA**, session limits) weakens **accountability** and access governance.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Custom policy CN03PeeringGuardrail is attached but does not allow '*:*' administrative privileges.", "metadata": { "event_code": "iam_customer_attached_policy_no_administrative_privileges", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Custom policy CN03PeeringGuardrail is attached but does not allow '*:*' administrative privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/iam-policy-for-administration.html", "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" ], "notes": "CAF Security Epic: IAM", "compliance": { "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_3_i", "164_308_a_3_ii_b", "164_308_a_4_i", "164_308_a_4_ii_b", "164_308_a_4_ii_c", "164_312_a_1" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-3" ], "CIS-6.0": [ "2.15" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_6", "ac_2_i_2", "ac_3", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_7", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_5_b", "ac_6", "ac_6_2", "ac_6_3", "ac_6_10", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "mp_2", "sc_23_3", "sc_25" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.RDMS.CN04.AR01", "CCC.IAM.CN01.AR01", "CCC.IAM.CN01.AR02", "CCC.IAM.CN02.AR01", "CCC.IAM.CN02.AR02", "CCC.IAM.CN04.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_1" ], "CIS-2.0": [ "1.16" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-16" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-3" ], "FFIEC": [ "d3-pc-am-b-1", "d3-pc-am-b-16", "d3-pc-am-b-2", "d3-pc-am-b-3", "d3-pc-am-b-6", "d3-pc-im-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.3.1" ], "CIS-4.0.1": [ "1.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP02", "SEC03-BP04" ], "CIS-3.0": [ "1.16" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_1_3", "cc_6_3" ], "C5-2025": [ "OIS-04.01AC", "SP-01.04B", "HR-01.01B", "IAM-01.01B", "IAM-01.04B", "IAM-06.01B" ], "ISO27001-2022": [ "A.5.18", "A.8.2" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.1" ], "SecNumCloud-3.2": [ "9.1" ], "CIS-1.4": [ "1.16" ], "NIST-800-53-Revision-4": [ "ac_2", "ac_3", "ac_5", "ac_6", "sc_2" ], "NIST-CSF-1.1": [ "ac_1", "ac_4", "pt_3" ], "CIS-5.0": [ "1.15" ], "CIS-1.5": [ "1.16" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1", "ac_1", "ac_4", "ac_6" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-3", "ac-5-c", "ac-6-10", "ac-6", "sc-2" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_1_4", "3_1_5", "3_1_6", "3_1_7", "3_4_6", "3_13_3" ], "ENS-RD2022": [ "op.acc.4.aws.iam.1", "op.acc.4.aws.iam.2", "op.acc.4.aws.iam.9", "op.exp.8.r4.aws.ct.8", "op.exp.8.r4.aws.ct.1" ], "MITRE-ATTACK": [ "T1078", "T1648", "T1098", "T1578", "T1550", "T1040", "T1580", "T1538", "T1619", "T1201" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Attached **customer-managed IAM policies** are evaluated for statements granting full admin access via `Action: \"*\"`, `Resource: \"*\"`, i.e., `*:*`. Only policies you created and attached to identities are considered.", "title": "Attached IAM customer-managed policy does not allow '*:*' administrative privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_customer_attached_policy_no_administrative_privileges-211203495394-us-east-1-CN03PeeringGuardrail" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "CN03PeeringGuardrail", "arn": "arn:aws:iam::211203495394:policy/CN03PeeringGuardrail", "entity": "ANPATCLFVSXRKM5643AGY", "version_id": "v1", "type": "Custom", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyPeeringFromNonAllowlistedRequesterVpc", "Effect": "Deny", "Action": "ec2:CreateVpcPeeringConnection", "Resource": "*", "Condition": { "Null": { "ec2:RequesterVpc": "false" }, "ArnEquals": { "ec2:AccepterVpc": [ "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-0232d940ac1e052fc" ] }, "ArnNotEquals": { "ec2:RequesterVpc": [ "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-00edf4476fa81d898", "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-035f0b812cb80ea99" ] } } } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "CN03PeeringGuardrail", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:policy/CN03PeeringGuardrail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enforce **least privilege**: replace wildcards with specific actions, scope `Resource` to needed ARNs, and add restrictive `Condition`s. Prefer role-based access and separation of duties. Use **permissions boundaries** and organization guardrails, and regularly review policies with policy validation and Access Analyzer.", "references": [ "https://hub.prowler.com/check/iam_customer_attached_policy_no_administrative_privileges" ] }, "risk_details": "**Unrestricted admin access** lets any attached principal perform any action on any resource, enabling data exfiltration, policy tampering, credential creation, logging disablement, and destructive deletions-compromising **confidentiality, integrity, and availability** across the account.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-1776042944-cn04-flowlogs-role-policy attached to role cfi-1776042944-cn04-flowlogs-role does not allow privilege escalation.", "metadata": { "event_code": "iam_inline_policy_allows_privilege_escalation", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-1776042944-cn04-flowlogs-role-policy attached to role cfi-1776042944-cn04-flowlogs-role does not allow privilege escalation.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "privilege-escalation" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege", "https://bishopfox.com/blog/privilege-escalation-in-aws", "https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://labs.reversec.com/posts/2025/08/another-ecs-privilege-escalation-path" ], "notes": "", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN02.AR01", "CCC.IAM.CN02.AR02" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-10" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.3.3" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_3_3" ], "C5-2025": [ "SP-01.04B", "AM-09.04AC" ], "SecNumCloud-3.2": [ "9.3" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1", "ra_1", "ac_1", "ac_4", "ac_6", "ac_7", "ip_1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** are evaluated for permission combinations that enable **privilege escalation**, such as `sts:AssumeRole`, `iam:PassRole`, attaching/editing policies, or broad wildcards. The result highlights inline policies that allow a principal to obtain higher effective access.", "title": "IAM inline policy does not allow privilege escalation", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_inline_policy_allows_privilege_escalation-211203495394-us-east-1-cfi-1776042944-cn04-flowlogs-role/cfi-1776042944-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776042944-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-1776042944-cn04-flowlogs-role", "entity": "cfi-1776042944-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776042944-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776042944-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-1776042944-cn04-flowlogs-role/cfi-1776042944-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-1776042944-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** and remove escalation paths:\n- Avoid wildcards and sensitive actions like `sts:AssumeRole`, `iam:PassRole`, or policy modification without tight scope\n- Restrict by resource and `Condition`\n- Prefer managed, versioned policies; use permissions boundaries/SCPs\n- Require reviews and MFA for admins", "references": [ "https://hub.prowler.com/check/iam_inline_policy_allows_privilege_escalation" ] }, "risk_details": "Excessive inline policy permissions let identities escalate to admin, compromising CIA:\n- Confidentiality: read secrets and data\n- Integrity: alter policies, code, and configs\n- Availability: delete or stop resources, disable logging\nAttackers can persist by creating keys/users or assuming powerful roles.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-1776043129-cn04-flowlogs-role-policy attached to role cfi-1776043129-cn04-flowlogs-role does not allow privilege escalation.", "metadata": { "event_code": "iam_inline_policy_allows_privilege_escalation", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-1776043129-cn04-flowlogs-role-policy attached to role cfi-1776043129-cn04-flowlogs-role does not allow privilege escalation.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "privilege-escalation" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege", "https://bishopfox.com/blog/privilege-escalation-in-aws", "https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://labs.reversec.com/posts/2025/08/another-ecs-privilege-escalation-path" ], "notes": "", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN02.AR01", "CCC.IAM.CN02.AR02" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-10" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.3.3" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_3_3" ], "C5-2025": [ "SP-01.04B", "AM-09.04AC" ], "SecNumCloud-3.2": [ "9.3" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1", "ra_1", "ac_1", "ac_4", "ac_6", "ac_7", "ip_1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** are evaluated for permission combinations that enable **privilege escalation**, such as `sts:AssumeRole`, `iam:PassRole`, attaching/editing policies, or broad wildcards. The result highlights inline policies that allow a principal to obtain higher effective access.", "title": "IAM inline policy does not allow privilege escalation", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_inline_policy_allows_privilege_escalation-211203495394-us-east-1-cfi-1776043129-cn04-flowlogs-role/cfi-1776043129-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776043129-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-1776043129-cn04-flowlogs-role", "entity": "cfi-1776043129-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043129-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043129-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-1776043129-cn04-flowlogs-role/cfi-1776043129-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-1776043129-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** and remove escalation paths:\n- Avoid wildcards and sensitive actions like `sts:AssumeRole`, `iam:PassRole`, or policy modification without tight scope\n- Restrict by resource and `Condition`\n- Prefer managed, versioned policies; use permissions boundaries/SCPs\n- Require reviews and MFA for admins", "references": [ "https://hub.prowler.com/check/iam_inline_policy_allows_privilege_escalation" ] }, "risk_details": "Excessive inline policy permissions let identities escalate to admin, compromising CIA:\n- Confidentiality: read secrets and data\n- Integrity: alter policies, code, and configs\n- Availability: delete or stop resources, disable logging\nAttackers can persist by creating keys/users or assuming powerful roles.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-1776043305-cn04-flowlogs-role-policy attached to role cfi-1776043305-cn04-flowlogs-role does not allow privilege escalation.", "metadata": { "event_code": "iam_inline_policy_allows_privilege_escalation", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-1776043305-cn04-flowlogs-role-policy attached to role cfi-1776043305-cn04-flowlogs-role does not allow privilege escalation.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "privilege-escalation" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege", "https://bishopfox.com/blog/privilege-escalation-in-aws", "https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://labs.reversec.com/posts/2025/08/another-ecs-privilege-escalation-path" ], "notes": "", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN02.AR01", "CCC.IAM.CN02.AR02" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-10" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.3.3" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_3_3" ], "C5-2025": [ "SP-01.04B", "AM-09.04AC" ], "SecNumCloud-3.2": [ "9.3" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1", "ra_1", "ac_1", "ac_4", "ac_6", "ac_7", "ip_1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** are evaluated for permission combinations that enable **privilege escalation**, such as `sts:AssumeRole`, `iam:PassRole`, attaching/editing policies, or broad wildcards. The result highlights inline policies that allow a principal to obtain higher effective access.", "title": "IAM inline policy does not allow privilege escalation", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_inline_policy_allows_privilege_escalation-211203495394-us-east-1-cfi-1776043305-cn04-flowlogs-role/cfi-1776043305-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776043305-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-1776043305-cn04-flowlogs-role", "entity": "cfi-1776043305-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043305-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043305-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-1776043305-cn04-flowlogs-role/cfi-1776043305-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-1776043305-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** and remove escalation paths:\n- Avoid wildcards and sensitive actions like `sts:AssumeRole`, `iam:PassRole`, or policy modification without tight scope\n- Restrict by resource and `Condition`\n- Prefer managed, versioned policies; use permissions boundaries/SCPs\n- Require reviews and MFA for admins", "references": [ "https://hub.prowler.com/check/iam_inline_policy_allows_privilege_escalation" ] }, "risk_details": "Excessive inline policy permissions let identities escalate to admin, compromising CIA:\n- Confidentiality: read secrets and data\n- Integrity: alter policies, code, and configs\n- Availability: delete or stop resources, disable logging\nAttackers can persist by creating keys/users or assuming powerful roles.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-1776044303-cn04-flowlogs-role-policy attached to role cfi-1776044303-cn04-flowlogs-role does not allow privilege escalation.", "metadata": { "event_code": "iam_inline_policy_allows_privilege_escalation", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-1776044303-cn04-flowlogs-role-policy attached to role cfi-1776044303-cn04-flowlogs-role does not allow privilege escalation.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "privilege-escalation" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege", "https://bishopfox.com/blog/privilege-escalation-in-aws", "https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://labs.reversec.com/posts/2025/08/another-ecs-privilege-escalation-path" ], "notes": "", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN02.AR01", "CCC.IAM.CN02.AR02" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-10" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.3.3" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_3_3" ], "C5-2025": [ "SP-01.04B", "AM-09.04AC" ], "SecNumCloud-3.2": [ "9.3" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1", "ra_1", "ac_1", "ac_4", "ac_6", "ac_7", "ip_1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** are evaluated for permission combinations that enable **privilege escalation**, such as `sts:AssumeRole`, `iam:PassRole`, attaching/editing policies, or broad wildcards. The result highlights inline policies that allow a principal to obtain higher effective access.", "title": "IAM inline policy does not allow privilege escalation", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_inline_policy_allows_privilege_escalation-211203495394-us-east-1-cfi-1776044303-cn04-flowlogs-role/cfi-1776044303-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776044303-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-1776044303-cn04-flowlogs-role", "entity": "cfi-1776044303-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776044303-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776044303-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-1776044303-cn04-flowlogs-role/cfi-1776044303-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-1776044303-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** and remove escalation paths:\n- Avoid wildcards and sensitive actions like `sts:AssumeRole`, `iam:PassRole`, or policy modification without tight scope\n- Restrict by resource and `Condition`\n- Prefer managed, versioned policies; use permissions boundaries/SCPs\n- Require reviews and MFA for admins", "references": [ "https://hub.prowler.com/check/iam_inline_policy_allows_privilege_escalation" ] }, "risk_details": "Excessive inline policy permissions let identities escalate to admin, compromising CIA:\n- Confidentiality: read secrets and data\n- Integrity: alter policies, code, and configs\n- Availability: delete or stop resources, disable logging\nAttackers can persist by creating keys/users or assuming powerful roles.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-20260413t013134z-cn04-flowlogs-role-policy attached to role cfi-20260413t013134z-cn04-flowlogs-role does not allow privilege escalation.", "metadata": { "event_code": "iam_inline_policy_allows_privilege_escalation", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-20260413t013134z-cn04-flowlogs-role-policy attached to role cfi-20260413t013134z-cn04-flowlogs-role does not allow privilege escalation.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "privilege-escalation" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege", "https://bishopfox.com/blog/privilege-escalation-in-aws", "https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://labs.reversec.com/posts/2025/08/another-ecs-privilege-escalation-path" ], "notes": "", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN02.AR01", "CCC.IAM.CN02.AR02" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-10" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.3.3" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_3_3" ], "C5-2025": [ "SP-01.04B", "AM-09.04AC" ], "SecNumCloud-3.2": [ "9.3" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1", "ra_1", "ac_1", "ac_4", "ac_6", "ac_7", "ip_1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** are evaluated for permission combinations that enable **privilege escalation**, such as `sts:AssumeRole`, `iam:PassRole`, attaching/editing policies, or broad wildcards. The result highlights inline policies that allow a principal to obtain higher effective access.", "title": "IAM inline policy does not allow privilege escalation", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_inline_policy_allows_privilege_escalation-211203495394-us-east-1-cfi-20260413t013134z-cn04-flowlogs-role/cfi-20260413t013134z-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-20260413t013134z-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-20260413t013134z-cn04-flowlogs-role", "entity": "cfi-20260413t013134z-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-20260413t013134z-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-20260413t013134z-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-20260413t013134z-cn04-flowlogs-role/cfi-20260413t013134z-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-20260413t013134z-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** and remove escalation paths:\n- Avoid wildcards and sensitive actions like `sts:AssumeRole`, `iam:PassRole`, or policy modification without tight scope\n- Restrict by resource and `Condition`\n- Prefer managed, versioned policies; use permissions boundaries/SCPs\n- Require reviews and MFA for admins", "references": [ "https://hub.prowler.com/check/iam_inline_policy_allows_privilege_escalation" ] }, "risk_details": "Excessive inline policy permissions let identities escalate to admin, compromising CIA:\n- Confidentiality: read secrets and data\n- Integrity: alter policies, code, and configs\n- Availability: delete or stop resources, disable logging\nAttackers can persist by creating keys/users or assuming powerful roles.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-1776042944-cn04-flowlogs-role-policy attached to role cfi-1776042944-cn04-flowlogs-role does not allow '*:*' administrative privileges.", "metadata": { "event_code": "iam_inline_policy_no_administrative_privileges", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-1776042944-cn04-flowlogs-role-policy attached to role cfi-1776042944-cn04-flowlogs-role does not allow '*:*' administrative privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://support.icompaas.com/support/solutions/articles/62000233799-ensure-iam-inline-policies-that-allow-full-administrative-privileges-are-not-associated-to-iam-id" ], "notes": "CAF Security Epic: IAM", "compliance": { "NIS2": [ "6.7.2.e", "11.3.2.c", "11.4.2.b" ], "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_3_i", "164_308_a_3_ii_b", "164_308_a_4_i", "164_308_a_4_ii_b", "164_308_a_4_ii_c", "164_312_a_1" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_6", "ac_2_i_2", "ac_3", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_7", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_5_b", "ac_6", "ac_6_2", "ac_6_3", "ac_6_10", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "mp_2", "sc_23_3", "sc_25" ], "CCC-v2025.10": [ "CCC.RDMS.CN04.AR01", "CCC.IAM.CN01.AR01", "CCC.IAM.CN01.AR02", "CCC.IAM.CN04.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_1" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-16" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-3" ], "FFIEC": [ "d3-pc-am-b-1", "d3-pc-am-b-16", "d3-pc-am-b-2", "d3-pc-am-b-3", "d3-pc-am-b-6", "d3-pc-im-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP02" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_1_3", "cc_6_3" ], "C5-2025": [ "OIS-04.01AC", "SP-01.04B", "HR-01.01B", "IAM-01.01B", "IAM-01.04B" ], "ISO27001-2022": [ "A.5.18", "A.8.2" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.1" ], "SecNumCloud-3.2": [ "9.1" ], "NIST-800-53-Revision-4": [ "ac_2", "ac_3", "ac_5", "ac_6", "sc_2" ], "NIST-CSF-1.1": [ "ac_1", "ac_4", "pt_3" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-3", "ac-5-c", "ac-6-10", "ac-6", "sc-2" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_1_4", "3_1_5", "3_1_6", "3_1_7", "3_4_6", "3_13_3" ], "ENS-RD2022": [ "op.acc.4.aws.iam.1", "op.acc.4.aws.iam.2", "op.acc.4.aws.iam.9", "op.exp.8.r4.aws.ct.8" ], "MITRE-ATTACK": [ "T1078", "T1648", "T1098", "T1578", "T1550", "T1040", "T1580", "T1538", "T1619", "T1201" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** on identities are evaluated for statements allowing `Action:\"*\"` on `Resource:\"*\"`, which indicates **unrestricted administrative access**.", "title": "Inline IAM policy does not allow '*:*' administrative privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_inline_policy_no_administrative_privileges-211203495394-us-east-1-cfi-1776042944-cn04-flowlogs-role/cfi-1776042944-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776042944-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-1776042944-cn04-flowlogs-role", "entity": "cfi-1776042944-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776042944-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776042944-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-1776042944-cn04-flowlogs-role/cfi-1776042944-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-1776042944-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Remove `Action:\"*\"` with `Resource:\"*\"` from inline policies. Apply **least privilege** with granular actions scoped to specific resources and conditions. Prefer versioned customer-managed policies over broad inline ones, enforce **separation of duties**, and use **permissions boundaries** or guardrails to prevent accidental admin grants.", "references": [ "https://hub.prowler.com/check/iam_inline_policy_no_administrative_privileges" ] }, "risk_details": "Granting `*:*` to an identity collapses **least privilege**, enabling total control over AWS. A compromised principal can exfiltrate data (**confidentiality**), alter configs or disable logging (**integrity**), and delete resources or keys (**availability**), enabling rapid **lateral movement** and persistent takeover.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-1776043129-cn04-flowlogs-role-policy attached to role cfi-1776043129-cn04-flowlogs-role does not allow '*:*' administrative privileges.", "metadata": { "event_code": "iam_inline_policy_no_administrative_privileges", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-1776043129-cn04-flowlogs-role-policy attached to role cfi-1776043129-cn04-flowlogs-role does not allow '*:*' administrative privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://support.icompaas.com/support/solutions/articles/62000233799-ensure-iam-inline-policies-that-allow-full-administrative-privileges-are-not-associated-to-iam-id" ], "notes": "CAF Security Epic: IAM", "compliance": { "NIS2": [ "6.7.2.e", "11.3.2.c", "11.4.2.b" ], "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_3_i", "164_308_a_3_ii_b", "164_308_a_4_i", "164_308_a_4_ii_b", "164_308_a_4_ii_c", "164_312_a_1" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_6", "ac_2_i_2", "ac_3", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_7", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_5_b", "ac_6", "ac_6_2", "ac_6_3", "ac_6_10", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "mp_2", "sc_23_3", "sc_25" ], "CCC-v2025.10": [ "CCC.RDMS.CN04.AR01", "CCC.IAM.CN01.AR01", "CCC.IAM.CN01.AR02", "CCC.IAM.CN04.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_1" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-16" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-3" ], "FFIEC": [ "d3-pc-am-b-1", "d3-pc-am-b-16", "d3-pc-am-b-2", "d3-pc-am-b-3", "d3-pc-am-b-6", "d3-pc-im-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP02" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_1_3", "cc_6_3" ], "C5-2025": [ "OIS-04.01AC", "SP-01.04B", "HR-01.01B", "IAM-01.01B", "IAM-01.04B" ], "ISO27001-2022": [ "A.5.18", "A.8.2" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.1" ], "SecNumCloud-3.2": [ "9.1" ], "NIST-800-53-Revision-4": [ "ac_2", "ac_3", "ac_5", "ac_6", "sc_2" ], "NIST-CSF-1.1": [ "ac_1", "ac_4", "pt_3" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-3", "ac-5-c", "ac-6-10", "ac-6", "sc-2" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_1_4", "3_1_5", "3_1_6", "3_1_7", "3_4_6", "3_13_3" ], "ENS-RD2022": [ "op.acc.4.aws.iam.1", "op.acc.4.aws.iam.2", "op.acc.4.aws.iam.9", "op.exp.8.r4.aws.ct.8" ], "MITRE-ATTACK": [ "T1078", "T1648", "T1098", "T1578", "T1550", "T1040", "T1580", "T1538", "T1619", "T1201" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** on identities are evaluated for statements allowing `Action:\"*\"` on `Resource:\"*\"`, which indicates **unrestricted administrative access**.", "title": "Inline IAM policy does not allow '*:*' administrative privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_inline_policy_no_administrative_privileges-211203495394-us-east-1-cfi-1776043129-cn04-flowlogs-role/cfi-1776043129-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776043129-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-1776043129-cn04-flowlogs-role", "entity": "cfi-1776043129-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043129-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043129-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-1776043129-cn04-flowlogs-role/cfi-1776043129-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-1776043129-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Remove `Action:\"*\"` with `Resource:\"*\"` from inline policies. Apply **least privilege** with granular actions scoped to specific resources and conditions. Prefer versioned customer-managed policies over broad inline ones, enforce **separation of duties**, and use **permissions boundaries** or guardrails to prevent accidental admin grants.", "references": [ "https://hub.prowler.com/check/iam_inline_policy_no_administrative_privileges" ] }, "risk_details": "Granting `*:*` to an identity collapses **least privilege**, enabling total control over AWS. A compromised principal can exfiltrate data (**confidentiality**), alter configs or disable logging (**integrity**), and delete resources or keys (**availability**), enabling rapid **lateral movement** and persistent takeover.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-1776043305-cn04-flowlogs-role-policy attached to role cfi-1776043305-cn04-flowlogs-role does not allow '*:*' administrative privileges.", "metadata": { "event_code": "iam_inline_policy_no_administrative_privileges", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-1776043305-cn04-flowlogs-role-policy attached to role cfi-1776043305-cn04-flowlogs-role does not allow '*:*' administrative privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://support.icompaas.com/support/solutions/articles/62000233799-ensure-iam-inline-policies-that-allow-full-administrative-privileges-are-not-associated-to-iam-id" ], "notes": "CAF Security Epic: IAM", "compliance": { "NIS2": [ "6.7.2.e", "11.3.2.c", "11.4.2.b" ], "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_3_i", "164_308_a_3_ii_b", "164_308_a_4_i", "164_308_a_4_ii_b", "164_308_a_4_ii_c", "164_312_a_1" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_6", "ac_2_i_2", "ac_3", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_7", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_5_b", "ac_6", "ac_6_2", "ac_6_3", "ac_6_10", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "mp_2", "sc_23_3", "sc_25" ], "CCC-v2025.10": [ "CCC.RDMS.CN04.AR01", "CCC.IAM.CN01.AR01", "CCC.IAM.CN01.AR02", "CCC.IAM.CN04.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_1" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-16" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-3" ], "FFIEC": [ "d3-pc-am-b-1", "d3-pc-am-b-16", "d3-pc-am-b-2", "d3-pc-am-b-3", "d3-pc-am-b-6", "d3-pc-im-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP02" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_1_3", "cc_6_3" ], "C5-2025": [ "OIS-04.01AC", "SP-01.04B", "HR-01.01B", "IAM-01.01B", "IAM-01.04B" ], "ISO27001-2022": [ "A.5.18", "A.8.2" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.1" ], "SecNumCloud-3.2": [ "9.1" ], "NIST-800-53-Revision-4": [ "ac_2", "ac_3", "ac_5", "ac_6", "sc_2" ], "NIST-CSF-1.1": [ "ac_1", "ac_4", "pt_3" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-3", "ac-5-c", "ac-6-10", "ac-6", "sc-2" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_1_4", "3_1_5", "3_1_6", "3_1_7", "3_4_6", "3_13_3" ], "ENS-RD2022": [ "op.acc.4.aws.iam.1", "op.acc.4.aws.iam.2", "op.acc.4.aws.iam.9", "op.exp.8.r4.aws.ct.8" ], "MITRE-ATTACK": [ "T1078", "T1648", "T1098", "T1578", "T1550", "T1040", "T1580", "T1538", "T1619", "T1201" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** on identities are evaluated for statements allowing `Action:\"*\"` on `Resource:\"*\"`, which indicates **unrestricted administrative access**.", "title": "Inline IAM policy does not allow '*:*' administrative privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_inline_policy_no_administrative_privileges-211203495394-us-east-1-cfi-1776043305-cn04-flowlogs-role/cfi-1776043305-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776043305-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-1776043305-cn04-flowlogs-role", "entity": "cfi-1776043305-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043305-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043305-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-1776043305-cn04-flowlogs-role/cfi-1776043305-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-1776043305-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Remove `Action:\"*\"` with `Resource:\"*\"` from inline policies. Apply **least privilege** with granular actions scoped to specific resources and conditions. Prefer versioned customer-managed policies over broad inline ones, enforce **separation of duties**, and use **permissions boundaries** or guardrails to prevent accidental admin grants.", "references": [ "https://hub.prowler.com/check/iam_inline_policy_no_administrative_privileges" ] }, "risk_details": "Granting `*:*` to an identity collapses **least privilege**, enabling total control over AWS. A compromised principal can exfiltrate data (**confidentiality**), alter configs or disable logging (**integrity**), and delete resources or keys (**availability**), enabling rapid **lateral movement** and persistent takeover.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-1776044303-cn04-flowlogs-role-policy attached to role cfi-1776044303-cn04-flowlogs-role does not allow '*:*' administrative privileges.", "metadata": { "event_code": "iam_inline_policy_no_administrative_privileges", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-1776044303-cn04-flowlogs-role-policy attached to role cfi-1776044303-cn04-flowlogs-role does not allow '*:*' administrative privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://support.icompaas.com/support/solutions/articles/62000233799-ensure-iam-inline-policies-that-allow-full-administrative-privileges-are-not-associated-to-iam-id" ], "notes": "CAF Security Epic: IAM", "compliance": { "NIS2": [ "6.7.2.e", "11.3.2.c", "11.4.2.b" ], "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_3_i", "164_308_a_3_ii_b", "164_308_a_4_i", "164_308_a_4_ii_b", "164_308_a_4_ii_c", "164_312_a_1" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_6", "ac_2_i_2", "ac_3", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_7", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_5_b", "ac_6", "ac_6_2", "ac_6_3", "ac_6_10", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "mp_2", "sc_23_3", "sc_25" ], "CCC-v2025.10": [ "CCC.RDMS.CN04.AR01", "CCC.IAM.CN01.AR01", "CCC.IAM.CN01.AR02", "CCC.IAM.CN04.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_1" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-16" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-3" ], "FFIEC": [ "d3-pc-am-b-1", "d3-pc-am-b-16", "d3-pc-am-b-2", "d3-pc-am-b-3", "d3-pc-am-b-6", "d3-pc-im-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP02" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_1_3", "cc_6_3" ], "C5-2025": [ "OIS-04.01AC", "SP-01.04B", "HR-01.01B", "IAM-01.01B", "IAM-01.04B" ], "ISO27001-2022": [ "A.5.18", "A.8.2" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.1" ], "SecNumCloud-3.2": [ "9.1" ], "NIST-800-53-Revision-4": [ "ac_2", "ac_3", "ac_5", "ac_6", "sc_2" ], "NIST-CSF-1.1": [ "ac_1", "ac_4", "pt_3" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-3", "ac-5-c", "ac-6-10", "ac-6", "sc-2" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_1_4", "3_1_5", "3_1_6", "3_1_7", "3_4_6", "3_13_3" ], "ENS-RD2022": [ "op.acc.4.aws.iam.1", "op.acc.4.aws.iam.2", "op.acc.4.aws.iam.9", "op.exp.8.r4.aws.ct.8" ], "MITRE-ATTACK": [ "T1078", "T1648", "T1098", "T1578", "T1550", "T1040", "T1580", "T1538", "T1619", "T1201" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** on identities are evaluated for statements allowing `Action:\"*\"` on `Resource:\"*\"`, which indicates **unrestricted administrative access**.", "title": "Inline IAM policy does not allow '*:*' administrative privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_inline_policy_no_administrative_privileges-211203495394-us-east-1-cfi-1776044303-cn04-flowlogs-role/cfi-1776044303-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776044303-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-1776044303-cn04-flowlogs-role", "entity": "cfi-1776044303-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776044303-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776044303-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-1776044303-cn04-flowlogs-role/cfi-1776044303-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-1776044303-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Remove `Action:\"*\"` with `Resource:\"*\"` from inline policies. Apply **least privilege** with granular actions scoped to specific resources and conditions. Prefer versioned customer-managed policies over broad inline ones, enforce **separation of duties**, and use **permissions boundaries** or guardrails to prevent accidental admin grants.", "references": [ "https://hub.prowler.com/check/iam_inline_policy_no_administrative_privileges" ] }, "risk_details": "Granting `*:*` to an identity collapses **least privilege**, enabling total control over AWS. A compromised principal can exfiltrate data (**confidentiality**), alter configs or disable logging (**integrity**), and delete resources or keys (**availability**), enabling rapid **lateral movement** and persistent takeover.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-20260413t013134z-cn04-flowlogs-role-policy attached to role cfi-20260413t013134z-cn04-flowlogs-role does not allow '*:*' administrative privileges.", "metadata": { "event_code": "iam_inline_policy_no_administrative_privileges", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-20260413t013134z-cn04-flowlogs-role-policy attached to role cfi-20260413t013134z-cn04-flowlogs-role does not allow '*:*' administrative privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://support.icompaas.com/support/solutions/articles/62000233799-ensure-iam-inline-policies-that-allow-full-administrative-privileges-are-not-associated-to-iam-id" ], "notes": "CAF Security Epic: IAM", "compliance": { "NIS2": [ "6.7.2.e", "11.3.2.c", "11.4.2.b" ], "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_3_i", "164_308_a_3_ii_b", "164_308_a_4_i", "164_308_a_4_ii_b", "164_308_a_4_ii_c", "164_312_a_1" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_6", "ac_2_i_2", "ac_3", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_7", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_5_b", "ac_6", "ac_6_2", "ac_6_3", "ac_6_10", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "mp_2", "sc_23_3", "sc_25" ], "CCC-v2025.10": [ "CCC.RDMS.CN04.AR01", "CCC.IAM.CN01.AR01", "CCC.IAM.CN01.AR02", "CCC.IAM.CN04.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_1" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-16" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-3" ], "FFIEC": [ "d3-pc-am-b-1", "d3-pc-am-b-16", "d3-pc-am-b-2", "d3-pc-am-b-3", "d3-pc-am-b-6", "d3-pc-im-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP02" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_1_3", "cc_6_3" ], "C5-2025": [ "OIS-04.01AC", "SP-01.04B", "HR-01.01B", "IAM-01.01B", "IAM-01.04B" ], "ISO27001-2022": [ "A.5.18", "A.8.2" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.1" ], "SecNumCloud-3.2": [ "9.1" ], "NIST-800-53-Revision-4": [ "ac_2", "ac_3", "ac_5", "ac_6", "sc_2" ], "NIST-CSF-1.1": [ "ac_1", "ac_4", "pt_3" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-3", "ac-5-c", "ac-6-10", "ac-6", "sc-2" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_1_4", "3_1_5", "3_1_6", "3_1_7", "3_4_6", "3_13_3" ], "ENS-RD2022": [ "op.acc.4.aws.iam.1", "op.acc.4.aws.iam.2", "op.acc.4.aws.iam.9", "op.exp.8.r4.aws.ct.8" ], "MITRE-ATTACK": [ "T1078", "T1648", "T1098", "T1578", "T1550", "T1040", "T1580", "T1538", "T1619", "T1201" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** on identities are evaluated for statements allowing `Action:\"*\"` on `Resource:\"*\"`, which indicates **unrestricted administrative access**.", "title": "Inline IAM policy does not allow '*:*' administrative privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_inline_policy_no_administrative_privileges-211203495394-us-east-1-cfi-20260413t013134z-cn04-flowlogs-role/cfi-20260413t013134z-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-20260413t013134z-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-20260413t013134z-cn04-flowlogs-role", "entity": "cfi-20260413t013134z-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-20260413t013134z-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-20260413t013134z-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-20260413t013134z-cn04-flowlogs-role/cfi-20260413t013134z-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-20260413t013134z-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Remove `Action:\"*\"` with `Resource:\"*\"` from inline policies. Apply **least privilege** with granular actions scoped to specific resources and conditions. Prefer versioned customer-managed policies over broad inline ones, enforce **separation of duties**, and use **permissions boundaries** or guardrails to prevent accidental admin grants.", "references": [ "https://hub.prowler.com/check/iam_inline_policy_no_administrative_privileges" ] }, "risk_details": "Granting `*:*` to an identity collapses **least privilege**, enabling total control over AWS. A compromised principal can exfiltrate data (**confidentiality**), alter configs or disable logging (**integrity**), and delete resources or keys (**availability**), enabling rapid **lateral movement** and persistent takeover.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-1776042944-cn04-flowlogs-role-policy attached to role cfi-1776042944-cn04-flowlogs-role does not allow 'cloudtrail:*' privileges.", "metadata": { "event_code": "iam_inline_policy_no_full_access_to_cloudtrail", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-1776042944-cn04-flowlogs-role-policy attached to role cfi-1776042944-cn04-flowlogs-role does not allow 'cloudtrail:*' privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://support.icompaas.com/support/solutions/articles/62000233808-ensure-iam-policies-that-allow-full-cloudtrail-privileges-are-not-created" ], "notes": "", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR02", "CCC.Core.CN05.AR04", "CCC.IAM.CN04.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-10.01B", "SIM-03.07B", "COM-04.01AC" ], "NIST-CSF-2.0": [ "po_1", "ac_7" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** are evaluated for statements that grant **full CloudTrail permissions** (`cloudtrail:*`) to all resources.\n\nThe finding flags identity policies that provide unrestricted control over CloudTrail operations.", "title": "Inline IAM policy does not allow 'cloudtrail:*' privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Defense Evasion" ], "uid": "prowler-aws-iam_inline_policy_no_full_access_to_cloudtrail-211203495394-us-east-1-cfi-1776042944-cn04-flowlogs-role/cfi-1776042944-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776042944-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-1776042944-cn04-flowlogs-role", "entity": "cfi-1776042944-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776042944-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776042944-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-1776042944-cn04-flowlogs-role/cfi-1776042944-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-1776042944-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enforce **least privilege** and **separation of duties**: avoid `cloudtrail:*`; grant only specific actions needed (prefer read-only where possible). Add guardrails or boundaries to block destructive actions. Use managed, centrally governed policies and periodically right-size permissions based on usage.", "references": [ "https://hub.prowler.com/check/iam_inline_policy_no_full_access_to_cloudtrail" ] }, "risk_details": "Full CloudTrail access allows stopping trails, modifying configurations, or deleting audit data, compromising log **integrity** and **availability**. It also exposes event data, impacting **confidentiality**. Adversaries could hide activity, evade detection, and obstruct investigations.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-1776043129-cn04-flowlogs-role-policy attached to role cfi-1776043129-cn04-flowlogs-role does not allow 'cloudtrail:*' privileges.", "metadata": { "event_code": "iam_inline_policy_no_full_access_to_cloudtrail", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-1776043129-cn04-flowlogs-role-policy attached to role cfi-1776043129-cn04-flowlogs-role does not allow 'cloudtrail:*' privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://support.icompaas.com/support/solutions/articles/62000233808-ensure-iam-policies-that-allow-full-cloudtrail-privileges-are-not-created" ], "notes": "", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR02", "CCC.Core.CN05.AR04", "CCC.IAM.CN04.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-10.01B", "SIM-03.07B", "COM-04.01AC" ], "NIST-CSF-2.0": [ "po_1", "ac_7" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** are evaluated for statements that grant **full CloudTrail permissions** (`cloudtrail:*`) to all resources.\n\nThe finding flags identity policies that provide unrestricted control over CloudTrail operations.", "title": "Inline IAM policy does not allow 'cloudtrail:*' privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Defense Evasion" ], "uid": "prowler-aws-iam_inline_policy_no_full_access_to_cloudtrail-211203495394-us-east-1-cfi-1776043129-cn04-flowlogs-role/cfi-1776043129-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776043129-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-1776043129-cn04-flowlogs-role", "entity": "cfi-1776043129-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043129-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043129-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-1776043129-cn04-flowlogs-role/cfi-1776043129-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-1776043129-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enforce **least privilege** and **separation of duties**: avoid `cloudtrail:*`; grant only specific actions needed (prefer read-only where possible). Add guardrails or boundaries to block destructive actions. Use managed, centrally governed policies and periodically right-size permissions based on usage.", "references": [ "https://hub.prowler.com/check/iam_inline_policy_no_full_access_to_cloudtrail" ] }, "risk_details": "Full CloudTrail access allows stopping trails, modifying configurations, or deleting audit data, compromising log **integrity** and **availability**. It also exposes event data, impacting **confidentiality**. Adversaries could hide activity, evade detection, and obstruct investigations.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-1776043305-cn04-flowlogs-role-policy attached to role cfi-1776043305-cn04-flowlogs-role does not allow 'cloudtrail:*' privileges.", "metadata": { "event_code": "iam_inline_policy_no_full_access_to_cloudtrail", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-1776043305-cn04-flowlogs-role-policy attached to role cfi-1776043305-cn04-flowlogs-role does not allow 'cloudtrail:*' privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://support.icompaas.com/support/solutions/articles/62000233808-ensure-iam-policies-that-allow-full-cloudtrail-privileges-are-not-created" ], "notes": "", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR02", "CCC.Core.CN05.AR04", "CCC.IAM.CN04.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-10.01B", "SIM-03.07B", "COM-04.01AC" ], "NIST-CSF-2.0": [ "po_1", "ac_7" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** are evaluated for statements that grant **full CloudTrail permissions** (`cloudtrail:*`) to all resources.\n\nThe finding flags identity policies that provide unrestricted control over CloudTrail operations.", "title": "Inline IAM policy does not allow 'cloudtrail:*' privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Defense Evasion" ], "uid": "prowler-aws-iam_inline_policy_no_full_access_to_cloudtrail-211203495394-us-east-1-cfi-1776043305-cn04-flowlogs-role/cfi-1776043305-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776043305-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-1776043305-cn04-flowlogs-role", "entity": "cfi-1776043305-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043305-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043305-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-1776043305-cn04-flowlogs-role/cfi-1776043305-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-1776043305-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enforce **least privilege** and **separation of duties**: avoid `cloudtrail:*`; grant only specific actions needed (prefer read-only where possible). Add guardrails or boundaries to block destructive actions. Use managed, centrally governed policies and periodically right-size permissions based on usage.", "references": [ "https://hub.prowler.com/check/iam_inline_policy_no_full_access_to_cloudtrail" ] }, "risk_details": "Full CloudTrail access allows stopping trails, modifying configurations, or deleting audit data, compromising log **integrity** and **availability**. It also exposes event data, impacting **confidentiality**. Adversaries could hide activity, evade detection, and obstruct investigations.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-1776044303-cn04-flowlogs-role-policy attached to role cfi-1776044303-cn04-flowlogs-role does not allow 'cloudtrail:*' privileges.", "metadata": { "event_code": "iam_inline_policy_no_full_access_to_cloudtrail", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-1776044303-cn04-flowlogs-role-policy attached to role cfi-1776044303-cn04-flowlogs-role does not allow 'cloudtrail:*' privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://support.icompaas.com/support/solutions/articles/62000233808-ensure-iam-policies-that-allow-full-cloudtrail-privileges-are-not-created" ], "notes": "", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR02", "CCC.Core.CN05.AR04", "CCC.IAM.CN04.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-10.01B", "SIM-03.07B", "COM-04.01AC" ], "NIST-CSF-2.0": [ "po_1", "ac_7" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** are evaluated for statements that grant **full CloudTrail permissions** (`cloudtrail:*`) to all resources.\n\nThe finding flags identity policies that provide unrestricted control over CloudTrail operations.", "title": "Inline IAM policy does not allow 'cloudtrail:*' privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Defense Evasion" ], "uid": "prowler-aws-iam_inline_policy_no_full_access_to_cloudtrail-211203495394-us-east-1-cfi-1776044303-cn04-flowlogs-role/cfi-1776044303-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776044303-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-1776044303-cn04-flowlogs-role", "entity": "cfi-1776044303-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776044303-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776044303-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-1776044303-cn04-flowlogs-role/cfi-1776044303-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-1776044303-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enforce **least privilege** and **separation of duties**: avoid `cloudtrail:*`; grant only specific actions needed (prefer read-only where possible). Add guardrails or boundaries to block destructive actions. Use managed, centrally governed policies and periodically right-size permissions based on usage.", "references": [ "https://hub.prowler.com/check/iam_inline_policy_no_full_access_to_cloudtrail" ] }, "risk_details": "Full CloudTrail access allows stopping trails, modifying configurations, or deleting audit data, compromising log **integrity** and **availability**. It also exposes event data, impacting **confidentiality**. Adversaries could hide activity, evade detection, and obstruct investigations.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-20260413t013134z-cn04-flowlogs-role-policy attached to role cfi-20260413t013134z-cn04-flowlogs-role does not allow 'cloudtrail:*' privileges.", "metadata": { "event_code": "iam_inline_policy_no_full_access_to_cloudtrail", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-20260413t013134z-cn04-flowlogs-role-policy attached to role cfi-20260413t013134z-cn04-flowlogs-role does not allow 'cloudtrail:*' privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://support.icompaas.com/support/solutions/articles/62000233808-ensure-iam-policies-that-allow-full-cloudtrail-privileges-are-not-created" ], "notes": "", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR02", "CCC.Core.CN05.AR04", "CCC.IAM.CN04.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-10.01B", "SIM-03.07B", "COM-04.01AC" ], "NIST-CSF-2.0": [ "po_1", "ac_7" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** are evaluated for statements that grant **full CloudTrail permissions** (`cloudtrail:*`) to all resources.\n\nThe finding flags identity policies that provide unrestricted control over CloudTrail operations.", "title": "Inline IAM policy does not allow 'cloudtrail:*' privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Defense Evasion" ], "uid": "prowler-aws-iam_inline_policy_no_full_access_to_cloudtrail-211203495394-us-east-1-cfi-20260413t013134z-cn04-flowlogs-role/cfi-20260413t013134z-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-20260413t013134z-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-20260413t013134z-cn04-flowlogs-role", "entity": "cfi-20260413t013134z-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-20260413t013134z-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-20260413t013134z-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-20260413t013134z-cn04-flowlogs-role/cfi-20260413t013134z-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-20260413t013134z-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enforce **least privilege** and **separation of duties**: avoid `cloudtrail:*`; grant only specific actions needed (prefer read-only where possible). Add guardrails or boundaries to block destructive actions. Use managed, centrally governed policies and periodically right-size permissions based on usage.", "references": [ "https://hub.prowler.com/check/iam_inline_policy_no_full_access_to_cloudtrail" ] }, "risk_details": "Full CloudTrail access allows stopping trails, modifying configurations, or deleting audit data, compromising log **integrity** and **availability**. It also exposes event data, impacting **confidentiality**. Adversaries could hide activity, evade detection, and obstruct investigations.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-1776042944-cn04-flowlogs-role-policy attached to role cfi-1776042944-cn04-flowlogs-role does not allow 'kms:*' privileges.", "metadata": { "event_code": "iam_inline_policy_no_full_access_to_kms", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-1776042944-cn04-flowlogs-role-policy attached to role cfi-1776042944-cn04-flowlogs-role does not allow 'kms:*' privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://support.icompaas.com/support/solutions/articles/62000233801-ensure-iam-inline-policies-that-allow-full-kms-privileges-are-not-created" ], "notes": "", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN11.AR04", "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR02", "CCC.Core.CN05.AR04", "CCC.ObjStor.CN01.AR01", "CCC.ObjStor.CN01.AR02", "CCC.ObjStor.CN01.AR03", "CCC.ObjStor.CN01.AR04", "CCC.KeyMgmt.CN02.AR01", "CCC.IAM.CN04.AR01" ], "PCI-4.0": [ "3.5.1.1.8", "3.5.1.3.16", "3.6.1.2.8", "3.6.1.3.8", "3.6.1.4.8", "3.6.1.8", "3.7.1.9", "3.7.2.8", "3.7.4.9", "3.7.6.8", "3.7.7.8", "4.2.1.1.21", "7.2.1.10", "7.2.2.10", "7.2.3.6", "7.2.5.6", "7.3.1.6", "7.3.2.6", "7.3.3.6", "8.2.7.6", "8.2.8.8", "8.3.4.6" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "OIS-08.02B", "IAM-10.01B", "CRY-05.02B" ], "NIST-CSF-2.0": [ "rr_1", "po_1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** are analyzed to identify statements that grant **unrestricted AWS KMS access** via the wildcard action `kms:*`.", "title": "Inline IAM policy does not allow kms:* privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Privilege Escalation", "Effects/Data Exposure" ], "uid": "prowler-aws-iam_inline_policy_no_full_access_to_kms-211203495394-us-east-1-cfi-1776042944-cn04-flowlogs-role/cfi-1776042944-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776042944-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-1776042944-cn04-flowlogs-role", "entity": "cfi-1776042944-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776042944-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776042944-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-1776042944-cn04-flowlogs-role/cfi-1776042944-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-1776042944-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Replace `kms:*` with **least-privilege**, action-scoped permissions limited to required operations and specific key ARNs. Enforce **separation of duties** for key admins vs users. Prefer **managed policies** over inline and apply guardrails (permissions boundaries/SCPs). Add conditions to constrain service, region, and encryption context.", "references": [ "https://hub.prowler.com/check/iam_inline_policy_no_full_access_to_kms" ] }, "risk_details": "Granting `kms:*` enables decryption of protected data, modification of key policies and grants, and disabling or deleting keys.\n\nImpacts:\n- **Confidentiality** via unauthorized decryption\n- **Integrity** through key/grant tampering\n- **Availability** if keys are disabled or deleted, breaking encrypted workloads", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-1776043129-cn04-flowlogs-role-policy attached to role cfi-1776043129-cn04-flowlogs-role does not allow 'kms:*' privileges.", "metadata": { "event_code": "iam_inline_policy_no_full_access_to_kms", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-1776043129-cn04-flowlogs-role-policy attached to role cfi-1776043129-cn04-flowlogs-role does not allow 'kms:*' privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://support.icompaas.com/support/solutions/articles/62000233801-ensure-iam-inline-policies-that-allow-full-kms-privileges-are-not-created" ], "notes": "", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN11.AR04", "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR02", "CCC.Core.CN05.AR04", "CCC.ObjStor.CN01.AR01", "CCC.ObjStor.CN01.AR02", "CCC.ObjStor.CN01.AR03", "CCC.ObjStor.CN01.AR04", "CCC.KeyMgmt.CN02.AR01", "CCC.IAM.CN04.AR01" ], "PCI-4.0": [ "3.5.1.1.8", "3.5.1.3.16", "3.6.1.2.8", "3.6.1.3.8", "3.6.1.4.8", "3.6.1.8", "3.7.1.9", "3.7.2.8", "3.7.4.9", "3.7.6.8", "3.7.7.8", "4.2.1.1.21", "7.2.1.10", "7.2.2.10", "7.2.3.6", "7.2.5.6", "7.3.1.6", "7.3.2.6", "7.3.3.6", "8.2.7.6", "8.2.8.8", "8.3.4.6" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "OIS-08.02B", "IAM-10.01B", "CRY-05.02B" ], "NIST-CSF-2.0": [ "rr_1", "po_1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** are analyzed to identify statements that grant **unrestricted AWS KMS access** via the wildcard action `kms:*`.", "title": "Inline IAM policy does not allow kms:* privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Privilege Escalation", "Effects/Data Exposure" ], "uid": "prowler-aws-iam_inline_policy_no_full_access_to_kms-211203495394-us-east-1-cfi-1776043129-cn04-flowlogs-role/cfi-1776043129-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776043129-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-1776043129-cn04-flowlogs-role", "entity": "cfi-1776043129-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043129-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043129-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-1776043129-cn04-flowlogs-role/cfi-1776043129-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-1776043129-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Replace `kms:*` with **least-privilege**, action-scoped permissions limited to required operations and specific key ARNs. Enforce **separation of duties** for key admins vs users. Prefer **managed policies** over inline and apply guardrails (permissions boundaries/SCPs). Add conditions to constrain service, region, and encryption context.", "references": [ "https://hub.prowler.com/check/iam_inline_policy_no_full_access_to_kms" ] }, "risk_details": "Granting `kms:*` enables decryption of protected data, modification of key policies and grants, and disabling or deleting keys.\n\nImpacts:\n- **Confidentiality** via unauthorized decryption\n- **Integrity** through key/grant tampering\n- **Availability** if keys are disabled or deleted, breaking encrypted workloads", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-1776043305-cn04-flowlogs-role-policy attached to role cfi-1776043305-cn04-flowlogs-role does not allow 'kms:*' privileges.", "metadata": { "event_code": "iam_inline_policy_no_full_access_to_kms", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-1776043305-cn04-flowlogs-role-policy attached to role cfi-1776043305-cn04-flowlogs-role does not allow 'kms:*' privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://support.icompaas.com/support/solutions/articles/62000233801-ensure-iam-inline-policies-that-allow-full-kms-privileges-are-not-created" ], "notes": "", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN11.AR04", "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR02", "CCC.Core.CN05.AR04", "CCC.ObjStor.CN01.AR01", "CCC.ObjStor.CN01.AR02", "CCC.ObjStor.CN01.AR03", "CCC.ObjStor.CN01.AR04", "CCC.KeyMgmt.CN02.AR01", "CCC.IAM.CN04.AR01" ], "PCI-4.0": [ "3.5.1.1.8", "3.5.1.3.16", "3.6.1.2.8", "3.6.1.3.8", "3.6.1.4.8", "3.6.1.8", "3.7.1.9", "3.7.2.8", "3.7.4.9", "3.7.6.8", "3.7.7.8", "4.2.1.1.21", "7.2.1.10", "7.2.2.10", "7.2.3.6", "7.2.5.6", "7.3.1.6", "7.3.2.6", "7.3.3.6", "8.2.7.6", "8.2.8.8", "8.3.4.6" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "OIS-08.02B", "IAM-10.01B", "CRY-05.02B" ], "NIST-CSF-2.0": [ "rr_1", "po_1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** are analyzed to identify statements that grant **unrestricted AWS KMS access** via the wildcard action `kms:*`.", "title": "Inline IAM policy does not allow kms:* privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Privilege Escalation", "Effects/Data Exposure" ], "uid": "prowler-aws-iam_inline_policy_no_full_access_to_kms-211203495394-us-east-1-cfi-1776043305-cn04-flowlogs-role/cfi-1776043305-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776043305-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-1776043305-cn04-flowlogs-role", "entity": "cfi-1776043305-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043305-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776043305-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-1776043305-cn04-flowlogs-role/cfi-1776043305-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-1776043305-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Replace `kms:*` with **least-privilege**, action-scoped permissions limited to required operations and specific key ARNs. Enforce **separation of duties** for key admins vs users. Prefer **managed policies** over inline and apply guardrails (permissions boundaries/SCPs). Add conditions to constrain service, region, and encryption context.", "references": [ "https://hub.prowler.com/check/iam_inline_policy_no_full_access_to_kms" ] }, "risk_details": "Granting `kms:*` enables decryption of protected data, modification of key policies and grants, and disabling or deleting keys.\n\nImpacts:\n- **Confidentiality** via unauthorized decryption\n- **Integrity** through key/grant tampering\n- **Availability** if keys are disabled or deleted, breaking encrypted workloads", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-1776044303-cn04-flowlogs-role-policy attached to role cfi-1776044303-cn04-flowlogs-role does not allow 'kms:*' privileges.", "metadata": { "event_code": "iam_inline_policy_no_full_access_to_kms", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-1776044303-cn04-flowlogs-role-policy attached to role cfi-1776044303-cn04-flowlogs-role does not allow 'kms:*' privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://support.icompaas.com/support/solutions/articles/62000233801-ensure-iam-inline-policies-that-allow-full-kms-privileges-are-not-created" ], "notes": "", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN11.AR04", "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR02", "CCC.Core.CN05.AR04", "CCC.ObjStor.CN01.AR01", "CCC.ObjStor.CN01.AR02", "CCC.ObjStor.CN01.AR03", "CCC.ObjStor.CN01.AR04", "CCC.KeyMgmt.CN02.AR01", "CCC.IAM.CN04.AR01" ], "PCI-4.0": [ "3.5.1.1.8", "3.5.1.3.16", "3.6.1.2.8", "3.6.1.3.8", "3.6.1.4.8", "3.6.1.8", "3.7.1.9", "3.7.2.8", "3.7.4.9", "3.7.6.8", "3.7.7.8", "4.2.1.1.21", "7.2.1.10", "7.2.2.10", "7.2.3.6", "7.2.5.6", "7.3.1.6", "7.3.2.6", "7.3.3.6", "8.2.7.6", "8.2.8.8", "8.3.4.6" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "OIS-08.02B", "IAM-10.01B", "CRY-05.02B" ], "NIST-CSF-2.0": [ "rr_1", "po_1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** are analyzed to identify statements that grant **unrestricted AWS KMS access** via the wildcard action `kms:*`.", "title": "Inline IAM policy does not allow kms:* privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Privilege Escalation", "Effects/Data Exposure" ], "uid": "prowler-aws-iam_inline_policy_no_full_access_to_kms-211203495394-us-east-1-cfi-1776044303-cn04-flowlogs-role/cfi-1776044303-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776044303-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-1776044303-cn04-flowlogs-role", "entity": "cfi-1776044303-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776044303-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-1776044303-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-1776044303-cn04-flowlogs-role/cfi-1776044303-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-1776044303-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Replace `kms:*` with **least-privilege**, action-scoped permissions limited to required operations and specific key ARNs. Enforce **separation of duties** for key admins vs users. Prefer **managed policies** over inline and apply guardrails (permissions boundaries/SCPs). Add conditions to constrain service, region, and encryption context.", "references": [ "https://hub.prowler.com/check/iam_inline_policy_no_full_access_to_kms" ] }, "risk_details": "Granting `kms:*` enables decryption of protected data, modification of key policies and grants, and disabling or deleting keys.\n\nImpacts:\n- **Confidentiality** via unauthorized decryption\n- **Integrity** through key/grant tampering\n- **Availability** if keys are disabled or deleted, breaking encrypted workloads", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inline policy cfi-20260413t013134z-cn04-flowlogs-role-policy attached to role cfi-20260413t013134z-cn04-flowlogs-role does not allow 'kms:*' privileges.", "metadata": { "event_code": "iam_inline_policy_no_full_access_to_kms", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Inline policy cfi-20260413t013134z-cn04-flowlogs-role-policy attached to role cfi-20260413t013134z-cn04-flowlogs-role does not allow 'kms:*' privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://support.icompaas.com/support/solutions/articles/62000233801-ensure-iam-inline-policies-that-allow-full-kms-privileges-are-not-created" ], "notes": "", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN11.AR04", "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR02", "CCC.Core.CN05.AR04", "CCC.ObjStor.CN01.AR01", "CCC.ObjStor.CN01.AR02", "CCC.ObjStor.CN01.AR03", "CCC.ObjStor.CN01.AR04", "CCC.KeyMgmt.CN02.AR01", "CCC.IAM.CN04.AR01" ], "PCI-4.0": [ "3.5.1.1.8", "3.5.1.3.16", "3.6.1.2.8", "3.6.1.3.8", "3.6.1.4.8", "3.6.1.8", "3.7.1.9", "3.7.2.8", "3.7.4.9", "3.7.6.8", "3.7.7.8", "4.2.1.1.21", "7.2.1.10", "7.2.2.10", "7.2.3.6", "7.2.5.6", "7.3.1.6", "7.3.2.6", "7.3.3.6", "8.2.7.6", "8.2.8.8", "8.3.4.6" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "OIS-08.02B", "IAM-10.01B", "CRY-05.02B" ], "NIST-CSF-2.0": [ "rr_1", "po_1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM inline policies** are analyzed to identify statements that grant **unrestricted AWS KMS access** via the wildcard action `kms:*`.", "title": "Inline IAM policy does not allow kms:* privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Privilege Escalation", "Effects/Data Exposure" ], "uid": "prowler-aws-iam_inline_policy_no_full_access_to_kms-211203495394-us-east-1-cfi-20260413t013134z-cn04-flowlogs-role/cfi-20260413t013134z-cn04-flowlogs-role-policy" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-20260413t013134z-cn04-flowlogs-role-policy", "arn": "arn:aws:iam::211203495394:role/cfi-20260413t013134z-cn04-flowlogs-role", "entity": "cfi-20260413t013134z-cn04-flowlogs-role", "version_id": "v1", "type": "Inline", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-20260413t013134z-vpc", "arn:aws:logs:us-east-1:211203495394:log-group:/aws/vpc/flow-logs/cfi-20260413t013134z-vpc:*" ] } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "cfi-20260413t013134z-cn04-flowlogs-role/cfi-20260413t013134z-cn04-flowlogs-role-policy", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:role/cfi-20260413t013134z-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Replace `kms:*` with **least-privilege**, action-scoped permissions limited to required operations and specific key ARNs. Enforce **separation of duties** for key admins vs users. Prefer **managed policies** over inline and apply guardrails (permissions boundaries/SCPs). Add conditions to constrain service, region, and encryption context.", "references": [ "https://hub.prowler.com/check/iam_inline_policy_no_full_access_to_kms" ] }, "risk_details": "Granting `kms:*` enables decryption of protected data, modification of key policies and grants, and disabling or deleting keys.\n\nImpacts:\n- **Confidentiality** via unauthorized decryption\n- **Integrity** through key/grant tampering\n- **Availability** if keys are disabled or deleted, breaking encrypted workloads", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Custom Policy CN03PeeringGuardrail does not allow permissive STS Role assumption.", "metadata": { "event_code": "iam_no_custom_policy_permissive_role_assumption", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Custom Policy CN03PeeringGuardrail does not allow permissive STS Role assumption.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy" ], "notes": "CAF Security Epic: IAM", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "CCC-v2025.10": [ "CCC.IAM.CN03.AR01", "CCC.IAM.CN03.AR02" ], "CSA-CCM-4.0": [ "IAM-05" ], "CISA": [ "your-systems-3", "your-surroundings-3" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.01B", "IAM-01.04B", "IAM-06.02B" ], "SecNumCloud-3.2": [ "9.3" ], "AWS-Account-Security-Onboarding": [ "Predefine IAM Roles" ], "NIST-CSF-2.0": [ "rr_1", "po_1" ], "ENS-RD2022": [ "op.acc.4.aws.iam.1", "op.acc.4.aws.iam.2", "op.exp.8.r4.aws.ct.8", "op.exp.8.r4.aws.ct.1" ], "MITRE-ATTACK": [ "T1078", "T1098", "T1606", "T1040", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Custom IAM policies** with `Allow` statements that grant `sts:AssumeRole` (or `sts:*`/`*`) to a wildcard `Resource`.", "title": "Custom IAM policy does not allow STS role assumption on wildcard resources", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Privilege Escalation", "TTPs/Lateral Movement" ], "uid": "prowler-aws-iam_no_custom_policy_permissive_role_assumption-211203495394-us-east-1-CN03PeeringGuardrail" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "CN03PeeringGuardrail", "arn": "arn:aws:iam::211203495394:policy/CN03PeeringGuardrail", "entity": "ANPATCLFVSXRKM5643AGY", "version_id": "v1", "type": "Custom", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyPeeringFromNonAllowlistedRequesterVpc", "Effect": "Deny", "Action": "ec2:CreateVpcPeeringConnection", "Resource": "*", "Condition": { "Null": { "ec2:RequesterVpc": "false" }, "ArnEquals": { "ec2:AccepterVpc": [ "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-0232d940ac1e052fc" ] }, "ArnNotEquals": { "ec2:RequesterVpc": [ "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-00edf4476fa81d898", "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-035f0b812cb80ea99" ] } } } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "CN03PeeringGuardrail", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:policy/CN03PeeringGuardrail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** to `sts:AssumeRole`:\n- Scope `Resource` to exact role ARNs\n- Require **MFA** and, for third parties, `ExternalId`\n- Enforce **permissions boundaries** and **SCPs** to block wildcards\n- Regularly remove unused role-assumption rights and **separate duties**", "references": [ "https://hub.prowler.com/check/iam_no_custom_policy_permissive_role_assumption" ] }, "risk_details": "Broad `AssumeRole` rights let principals obtain **temporary credentials** for many roles, enabling **privilege escalation**, **lateral movement**, and **cross-account access** where trusts allow. This jeopardizes **confidentiality** and **integrity** of data and the control plane.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Root account does not have access keys.", "metadata": { "event_code": "iam_no_root_access_key", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "Root account does not have access keys.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/root-account-access-keys-present.html" ], "notes": "", "compliance": { "NIS2": [ "9.2.c" ], "HIPAA": [ "164_308_a_1_ii_b", "164_308_a_3_i", "164_308_a_3_ii_b", "164_308_a_4_ii_c", "164_312_a_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-3", "ia-2" ], "CIS-6.0": [ "2.3" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam", "ksi-iam-07" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_6", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_7", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_6", "ac_6_2", "ac_6_10", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "ia_2", "ia_4_b", "ia_4_4", "ia_4_8", "ia_5_8", "mp_2", "sc_23_3", "sc_25" ], "AWS-Foundational-Technical-Review": [ "ARC-004" ], "CCC-v2025.10": [ "CCC.Core.CN03.AR02", "CCC.Core.CN03.AR04", "CCC.Core.CN05.AR06", "CCC.IAM.CN01.AR01", "CCC.IAM.CN01.AR02" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_1" ], "CIS-2.0": [ "1.4" ], "CSA-CCM-4.0": [ "IAM-09", "IAM-10" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-3" ], "PCI-4.0": [ "7.2.1.17", "7.2.2.17", "7.2.3.8", "8.2.1.4", "8.2.2.6", "8.2.4.4", "8.2.5.4", "8.3.11.4" ], "FFIEC": [ "d3-pc-am-b-1", "d3-pc-am-b-3", "d3-pc-am-b-8" ], "KISA-ISMS-P-2023-korean": [ "2.5.5", "2.7.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.1.13" ], "CIS-4.0.1": [ "1.4" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC01-BP02" ], "CIS-3.0": [ "1.4" ], "KISA-ISMS-P-2023": [ "2.5.5", "2.7.2", "2.10.2" ], "C5-2025": [ "IAM-03.01B", "IAM-03.03B", "IAM-06.02B", "IAM-10.01B", "CRY-03.01B" ], "ISO27001-2022": [ "A.5.15" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.4" ], "SecNumCloud-3.2": [ "9.6" ], "CIS-1.4": [ "1.4" ], "NIST-800-53-Revision-4": [ "ac_2", "ac_3", "ac_6_10", "ac_6" ], "NIST-CSF-1.1": [ "ac_1", "ac_4", "pt_3" ], "CIS-5.0": [ "1.3" ], "CIS-1.5": [ "1.4" ], "AWS-Account-Security-Onboarding": [ "Block root user" ], "NIST-CSF-2.0": [ "ac_1", "ac_6" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-3", "ac-5-c", "ac-6-10", "ac-6", "ia-2" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g", "11.200" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_1_4", "3_1_5", "3_1_6", "3_1_7", "3_4_6" ], "ENS-RD2022": [ "op.acc.4.aws.iam.7" ], "MITRE-ATTACK": [ "T1078", "T1550" ], "ISO27001-2013": [ "A.9.2.N", "A.9.4.N" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS root user** is evaluated for **active access keys**. It identifies whether the root identity has one or two programmatic credentials and notes when organization-level root credential management is present.", "title": "Root account has no active access keys", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Credential Access" ], "uid": "prowler-aws-iam_no_root_access_key-211203495394-us-east-1-" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "user": "", "arn": "arn:aws:iam::211203495394:root", "user_creation_time": "2025-10-03T16:10:08Z", "password_enabled": "true", "password_last_used": "2026-04-09T09:51:05Z", "password_last_changed": "2025-10-03T16:10:08Z", "password_next_rotation": "not_supported", "mfa_active": "true", "access_key_1_active": "false", "access_key_1_last_rotated": "N/A", "access_key_1_last_used_date": "N/A", "access_key_1_last_used_region": "N/A", "access_key_1_last_used_service": "N/A", "access_key_2_active": "false", "access_key_2_last_rotated": "N/A", "access_key_2_last_used_date": "N/A", "access_key_2_last_used_region": "N/A", "access_key_2_last_used_service": "N/A", "cert_1_active": "false", "cert_1_last_rotated": "N/A", "cert_2_active": "false", "cert_2_last_rotated": "N/A" } }, "group": { "name": "iam" }, "labels": [], "name": "", "type": "AwsIamAccessKey", "uid": "arn:aws:iam::211203495394:root" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Delete and prohibit **root access keys**. Use **IAM roles** and temporary credentials with **least privilege** for all automation. Enable **MFA on root**, limit root to break-glass use, and continuously monitor for any new root keys. *Where applicable*, apply organization-wide controls to enforce this.", "references": [ "https://hub.prowler.com/check/iam_no_root_access_key" ] }, "risk_details": "**Root access keys** provide unrestricted API access. If exposed or misused, attackers can:\n- Turn off logging and alter policies (**integrity**)\n- Read or export data (**confidentiality**)\n- Delete resources and lock out admins (**availability**)\nLong-lived keys can persist and may bypass console-only MFA.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Password expiration is not set.", "metadata": { "event_code": "iam_password_policy_expires_passwords_within_90_days_or_less", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Password expiration is not set.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html" ], "notes": "", "compliance": { "NIS2": [ "1.1.1.d", "1.1.2", "9.2.c.v", "11.6.2.a" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "AWS-Foundational-Technical-Review": [ "IAM-003" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN05.AR01" ], "CSA-CCM-4.0": [ "IAM-02", "IAM-15" ], "PCI-4.0": [ "8.3.6.1", "8.6.3.2" ], "KISA-ISMS-P-2023-korean": [ "2.5.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.1.12" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC03-BP06" ], "KISA-ISMS-P-2023": [ "2.5.4", "2.10.2" ], "C5-2025": [ "IAM-03.02B", "IAM-08.03B", "IAM-08.05B", "PSS-07.01B" ], "ISO27001-2022": [ "A.5.15" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.7", "IAM.10" ], "SecNumCloud-3.2": [ "9.5" ], "NIST-800-171-Revision-2": [ "3_5_5", "3_5_6", "3_5_7", "3_5_8" ], "ENS-RD2022": [ "op.acc.6.aws.iam.3" ], "MITRE-ATTACK": [ "T1078", "T1110" ], "ISO27001-2013": [ "A.9.2.A", "A.9.3.A", "A.9.4.A" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM account password policy** sets a **password expiration period** for IAM user console logins; configuration is aligned when rotation is enabled and set to `<= 90` days.", "title": "IAM account password policy enforces password expiration within 90 days or less", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_password_policy_expires_passwords_within_90_days_or_less-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "length": 8, "symbols": false, "numbers": false, "uppercase": false, "lowercase": false, "allow_change": true, "expiration": false, "max_age": null, "reuse_prevention": null, "hard_expiry": null } }, "group": { "name": "iam" }, "labels": [], "name": "211203495394", "type": "AwsIamPolicy", "uid": "arn:aws:iam:us-east-1:211203495394:password-policy" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enforce **password rotation** at `<= 90` days and **prevent reuse**. Pair with **MFA**, strong length/complexity, and prefer **federation/SSO** to reduce static passwords. Apply **least privilege**, monitor sign-ins, and remove inactive console passwords to limit exposure.", "references": [ "https://hub.prowler.com/check/iam_password_policy_expires_passwords_within_90_days_or_less" ] }, "risk_details": "Without rotation, stale passwords persist, enabling **credential stuffing**, **brute force**, and **password reuse** attacks. A compromised IAM user can retain console access, enabling **data exfiltration**, privilege escalation, and loss of **confidentiality** and **integrity**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM password policy does not require at least one lowercase letter.", "metadata": { "event_code": "iam_password_policy_lowercase", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "IAM password policy does not require at least one lowercase letter.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html" ], "notes": "", "compliance": { "NIS2": [ "9.2.c.v", "11.6.2.a" ], "HIPAA": [ "164_308_a_5_ii_d" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "AWS-Foundational-Technical-Review": [ "IAM-003" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN05.AR01" ], "CSA-CCM-4.0": [ "IAM-02" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-4" ], "FFIEC": [ "d3-pc-am-b-6", "d3-pc-am-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.1.8" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP01" ], "KISA-ISMS-P-2023": [ "2.5.4", "2.10.2" ], "C5-2025": [ "IAM-08.03B", "PSS-07.01B" ], "ISO27001-2022": [ "A.5.15" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.7", "IAM.10" ], "SecNumCloud-3.2": [ "9.5" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g", "11.200", "11.300-b" ], "NIST-800-171-Revision-2": [ "3_5_7" ], "ENS-RD2022": [ "op.acc.6.r1.aws.iam.1" ], "MITRE-ATTACK": [ "T1078", "T1110" ], "ISO27001-2013": [ "A.9.2.F", "A.9.3.F", "A.9.4.F" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM password policy** requires at least one **lowercase** character in user passwords via the `Require lowercase` setting", "title": "IAM password policy requires at least one lowercase letter", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_password_policy_lowercase-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "length": 8, "symbols": false, "numbers": false, "uppercase": false, "lowercase": false, "allow_change": true, "expiration": false, "max_age": null, "reuse_prevention": null, "hard_expiry": null } }, "group": { "name": "iam" }, "labels": [], "name": "211203495394", "type": "AwsIamPolicy", "uid": "arn:aws:iam:us-east-1:211203495394:password-policy" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Adopt a strong password policy that:\n- Enables `Require at least one lowercase letter` plus uppercase, number, and symbol\n- Sets sufficient length and blocks reuse\n- Requires **MFA** for all users\n- Applies **least privilege** to limit blast radius", "references": [ "https://hub.prowler.com/check/iam_password_policy_lowercase" ] }, "risk_details": "Without a lowercase requirement, passwords have reduced entropy, making **brute force** and **password spraying** more effective. Compromised IAM users can enable unauthorized access and changes, risking **confidentiality**, **integrity**, and **availability** of AWS resources.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM password policy does not require minimum length of 14 characters.", "metadata": { "event_code": "iam_password_policy_minimum_length_14", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "IAM password policy does not require minimum length of 14 characters.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html", "https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/IAM/Resource.html" ], "notes": "", "compliance": { "NIS2": [ "9.2.c.v" ], "HIPAA": [ "164_308_a_5_ii_d" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ia-2" ], "CIS-6.0": [ "2.7" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_3_a", "ac_2_3_b", "ac_2_3_c", "ac_2_3_d", "ac_2_3", "ac_2_d_1", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_7_4", "ac_7_4_a", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "cm_12_b", "ia_4_d", "ia_5", "ia_5_b", "ia_5_c", "ia_5_d", "ia_5_f", "ia_5_h", "ia_5_1_f", "ia_5_1_g", "ia_5_1_h", "ia_5_1_h", "ia_5_18_a", "ia_5_18_b", "ia_8_2_b", "ma_4_c", "sc_23_3" ], "AWS-Foundational-Technical-Review": [ "IAM-003" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN05.AR01" ], "CIS-2.0": [ "1.8" ], "CSA-CCM-4.0": [ "IAM-02", "IAM-15" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-4" ], "FFIEC": [ "d3-pc-am-b-6", "d3-pc-am-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.1.4" ], "CIS-4.0.1": [ "1.8" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP01" ], "CIS-3.0": [ "1.8" ], "KISA-ISMS-P-2023": [ "2.5.4", "2.10.2" ], "C5-2025": [ "IAM-08.03B", "PSS-07.01B" ], "ISO27001-2022": [ "A.5.15" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.7", "IAM.10" ], "SecNumCloud-3.2": [ "9.5", "10.3" ], "CIS-1.4": [ "1.8" ], "CIS-5.0": [ "1.7" ], "CIS-1.5": [ "1.8" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-2-3", "ac-5-c", "ia-2", "ia-5-1-a-d-e", "ia-5-4" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g", "11.200", "11.300-b" ], "NIST-800-171-Revision-2": [ "3_5_7" ], "ENS-RD2022": [ "op.acc.6.r1.aws.iam.1" ], "MITRE-ATTACK": [ "T1078", "T1110" ], "ISO27001-2013": [ "A.9.2.C", "A.9.3.C", "A.9.4.C" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM password policy** is assessed for the **minimum password length** setting, confirming it meets `>= 14` characters for IAM console users.", "title": "IAM password policy requires passwords to be at least 14 characters long", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-iam_password_policy_minimum_length_14-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "length": 8, "symbols": false, "numbers": false, "uppercase": false, "lowercase": false, "allow_change": true, "expiration": false, "max_age": null, "reuse_prevention": null, "hard_expiry": null } }, "group": { "name": "iam" }, "labels": [], "name": "211203495394", "type": "AwsIamPolicy", "uid": "arn:aws:iam:us-east-1:211203495394:password-policy" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Set the **minimum password length** to `>= 14` (prefer `16+`).\n- Require mixed character types and prevent reuse\n- Enforce **MFA** for all console users\n- Prefer SSO over local IAM users\n- Apply least privilege and monitor authentication events", "references": [ "https://hub.prowler.com/check/iam_password_policy_minimum_length_14" ] }, "risk_details": "Low minimum length reduces entropy, easing **brute force** and **credential stuffing**. Compromised IAM users enable console access, unauthorized changes, and lateral movement, leading to data exposure (confidentiality) and tampering (integrity).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM password policy does not require at least one number.", "metadata": { "event_code": "iam_password_policy_number", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "IAM password policy does not require at least one number.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html" ], "notes": "", "compliance": { "NIS2": [ "9.2.c.v" ], "HIPAA": [ "164_308_a_5_ii_d" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "AWS-Foundational-Technical-Review": [ "IAM-003" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN05.AR01" ], "CSA-CCM-4.0": [ "IAM-02" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-4" ], "FFIEC": [ "d3-pc-am-b-6", "d3-pc-am-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.1.6" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP01" ], "KISA-ISMS-P-2023": [ "2.5.4", "2.10.2" ], "C5-2025": [ "IAM-08.03B", "IAM-08.05B", "PSS-07.01B" ], "ISO27001-2022": [ "A.5.15" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.7", "IAM.10" ], "SecNumCloud-3.2": [ "9.5", "10.3" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g", "11.200", "11.300-b" ], "NIST-800-171-Revision-2": [ "3_5_7" ], "ENS-RD2022": [ "op.acc.6.r1.aws.iam.1" ], "MITRE-ATTACK": [ "T1078", "T1110" ], "ISO27001-2013": [ "A.9.2.D", "A.9.3.D", "A.9.4.D" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM account password policy** requires at least one **numeric character** (`0-9`) in IAM user passwords", "title": "IAM password policy requires at least one number", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_password_policy_number-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "length": 8, "symbols": false, "numbers": false, "uppercase": false, "lowercase": false, "allow_change": true, "expiration": false, "max_age": null, "reuse_prevention": null, "hard_expiry": null } }, "group": { "name": "iam" }, "labels": [], "name": "211203495394", "type": "AwsIamPolicy", "uid": "arn:aws:iam:us-east-1:211203495394:password-policy" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enforce the password policy option to `require at least one number`. Combine with strong length, mixed case, and symbols, and prevent reuse. Enable **MFA** for all users and prefer **federated access** to limit static credentials, supporting **defense in depth** against guessing attacks.", "references": [ "https://hub.prowler.com/check/iam_password_policy_number" ] }, "risk_details": "Passwords without numbers have lower entropy, making **brute-force** and **credential-stuffing** more effective. A compromised IAM user can gain console access, enabling data exposure (**confidentiality**), configuration changes (**integrity**), and resource abuse or deletion (**availability**).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM password policy reuse prevention is less than 24 or not set.", "metadata": { "event_code": "iam_password_policy_reuse_24", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "IAM password policy reuse prevention is less than 24 or not set.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html" ], "notes": "", "compliance": { "NIS2": [ "9.2.c.v" ], "HIPAA": [ "164_308_a_4_ii_c", "164_308_a_5_ii_d", "164_312_d" ], "CIS-6.0": [ "2.8" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "AWS-Foundational-Technical-Review": [ "IAM-003" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN05.AR01" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_2" ], "PCI-3.2.1": [ "8.1", "8.1.4", "8.2", "8.2.3", "8.2.3.a", "8.2.3.b", "8.2.4", "8.2.4.a", "8.2.4.b", "8.2.5", "8.2.5.a", "8.2.5.b" ], "CIS-2.0": [ "1.9" ], "CSA-CCM-4.0": [ "IAM-02", "IAM-15" ], "GDPR": [ "article_25" ], "KISA-ISMS-P-2023-korean": [ "2.5.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.1.5" ], "CIS-4.0.1": [ "1.9" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP01" ], "CIS-3.0": [ "1.9" ], "KISA-ISMS-P-2023": [ "2.5.4", "2.10.2" ], "C5-2025": [ "IAM-01.03B", "IAM-03.02B", "IAM-03.03B", "IAM-03.01AS", "IAM-08.03B", "IAM-08.05B", "IAM-08.07B", "PSS-07.01B" ], "ISO27001-2022": [ "A.5.15" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.7", "IAM.10" ], "SecNumCloud-3.2": [ "9.5" ], "CIS-1.4": [ "1.9" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2", "ia_2", "ia_5_1", "ia_5_4" ], "NIST-CSF-1.1": [ "ac_1" ], "CIS-5.0": [ "1.8" ], "CIS-1.5": [ "1.9" ], "NIST-800-171-Revision-2": [ "3_5_5", "3_5_6", "3_5_7", "3_5_8" ], "ENS-RD2022": [ "op.acc.6.r1.aws.iam.1" ], "MITRE-ATTACK": [ "T1078", "T1110" ], "ISO27001-2013": [ "A.9.2.B", "A.9.3.B", "A.9.4.B" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM account password policy** uses **password reuse prevention** set to `24` remembered passwords (maximum history) for IAM users", "title": "IAM password policy prevents reuse of the last 24 passwords", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_password_policy_reuse_24-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "length": 8, "symbols": false, "numbers": false, "uppercase": false, "lowercase": false, "allow_change": true, "expiration": false, "max_age": null, "reuse_prevention": null, "hard_expiry": null } }, "group": { "name": "iam" }, "labels": [], "name": "211203495394", "type": "AwsIamPolicy", "uid": "arn:aws:iam:us-east-1:211203495394:password-policy" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Set the password policy to remember `24` previous passwords to block reuse. Combine with **MFA**, strong length and complexity, and avoid rotation practices that encourage predictable patterns. Apply **least privilege** and monitor authentication events as part of **defense in depth**.", "references": [ "https://hub.prowler.com/check/iam_password_policy_reuse_24" ] }, "risk_details": "If fewer than `24` passwords are remembered, users can cycle back to recent secrets, undermining rotation. Attackers with previously exposed passwords can regain console access after a change, reducing **confidentiality** and **integrity** and increasing success of credential-stuffing with known credentials.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM password policy does not require at least one symbol.", "metadata": { "event_code": "iam_password_policy_symbol", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "IAM password policy does not require at least one symbol.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html" ], "notes": "", "compliance": { "NIS2": [ "9.2.c.v" ], "HIPAA": [ "164_308_a_5_ii_d" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "AWS-Foundational-Technical-Review": [ "IAM-003" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN05.AR01" ], "CSA-CCM-4.0": [ "IAM-02" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-4" ], "FFIEC": [ "d3-pc-am-b-6", "d3-pc-am-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.1.7" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP01" ], "KISA-ISMS-P-2023": [ "2.5.4", "2.10.2" ], "C5-2025": [ "IAM-08.03B", "PSS-07.01B" ], "ISO27001-2022": [ "A.5.15" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.7", "IAM.10" ], "SecNumCloud-3.2": [ "9.5", "10.3" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g", "11.200", "11.300-b" ], "NIST-800-171-Revision-2": [ "3_5_7" ], "ENS-RD2022": [ "op.acc.6.r1.aws.iam.1" ], "MITRE-ATTACK": [ "T1078", "T1110" ], "ISO27001-2013": [ "A.9.2.E", "A.9.3.E", "A.9.4.E" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM account password policy** includes the `Require at least one non-alphanumeric character` rule for IAM user passwords", "title": "IAM password policy requires at least one symbol", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Credential Access" ], "uid": "prowler-aws-iam_password_policy_symbol-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "length": 8, "symbols": false, "numbers": false, "uppercase": false, "lowercase": false, "allow_change": true, "expiration": false, "max_age": null, "reuse_prevention": null, "hard_expiry": null } }, "group": { "name": "iam" }, "labels": [], "name": "211203495394", "type": "AwsIamPolicy", "uid": "arn:aws:iam:us-east-1:211203495394:password-policy" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enforce the `Require at least one non-alphanumeric character` rule in the **IAM password policy**, alongside strong minimum length, mixed character sets, and password reuse prevention. Apply **MFA** for all human users and uphold **least privilege** to limit impact. *Consider periodic rotation based on risk.*", "references": [ "https://hub.prowler.com/check/iam_password_policy_symbol" ] }, "risk_details": "Missing a **symbol requirement** lowers password entropy, increasing success of **brute force** and **credential stuffing** against console logins. A compromised IAM user can gain unauthorized access and modify resources, threatening **confidentiality** and **integrity** across the account.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM password policy does not require at least one uppercase letter.", "metadata": { "event_code": "iam_password_policy_uppercase", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "IAM password policy does not require at least one uppercase letter.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html" ], "notes": "", "compliance": { "NIS2": [ "9.2.c.v" ], "HIPAA": [ "164_308_a_5_ii_d" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "AWS-Foundational-Technical-Review": [ "IAM-003" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN05.AR01" ], "CSA-CCM-4.0": [ "IAM-02" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-4" ], "FFIEC": [ "d3-pc-am-b-6", "d3-pc-am-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.4", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.1.9" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP01" ], "KISA-ISMS-P-2023": [ "2.5.4", "2.10.2" ], "C5-2025": [ "IAM-08.03B", "IAM-08.05B", "PSS-07.01B" ], "ISO27001-2022": [ "A.5.15" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.7", "IAM.10" ], "SecNumCloud-3.2": [ "9.5" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g", "11.200", "11.300-b" ], "NIST-800-171-Revision-2": [ "3_5_7" ], "ENS-RD2022": [ "op.acc.6.r1.aws.iam.1" ], "MITRE-ATTACK": [ "T1078", "T1110" ], "ISO27001-2013": [ "A.9.2.G", "A.9.3.G", "A.9.4.G" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM account password policy** enforces the presence of **at least one uppercase letter** (`A-Z`) in IAM user passwords.\n\n*This evaluates whether the uppercase complexity rule is enabled for console passwords.*", "title": "IAM password policy requires at least one uppercase letter", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)", "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ], "uid": "prowler-aws-iam_password_policy_uppercase-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "length": 8, "symbols": false, "numbers": false, "uppercase": false, "lowercase": false, "allow_change": true, "expiration": false, "max_age": null, "reuse_prevention": null, "hard_expiry": null } }, "group": { "name": "iam" }, "labels": [], "name": "211203495394", "type": "AwsIamPolicy", "uid": "arn:aws:iam:us-east-1:211203495394:password-policy" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enable the uppercase rule within a **strong password policy** that also requires length, lowercase, numbers, and symbols. Pair with **MFA** and **least privilege** to reduce blast radius. Regularly review policy effectiveness and prefer **federated SSO** to minimize long-lived IAM passwords.", "references": [ "https://hub.prowler.com/check/iam_password_policy_uppercase" ] }, "risk_details": "Without an uppercase requirement, passwords have lower entropy, enabling **brute force**, **credential stuffing**, and **offline cracking**. Compromised IAM users can access the console, threatening **confidentiality** (data exposure), **integrity** (unauthorized changes), and **availability** (resource deletion).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Custom Policy arn:aws:iam::211203495394:policy/CN03PeeringGuardrail does not allow privilege escalation.", "metadata": { "event_code": "iam_policy_allows_privilege_escalation", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "Custom Policy arn:aws:iam::211203495394:policy/CN03PeeringGuardrail does not allow privilege escalation.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege", "https://bishopfox.com/blog/privilege-escalation-in-aws", "https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://labs.reversec.com/posts/2025/08/another-ecs-privilege-escalation-path" ], "notes": "CAF Security Epic: IAM", "compliance": { "NIS2": [ "11.2.2.a" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR02", "CCC.IAM.CN02.AR01", "CCC.IAM.CN02.AR02" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-10" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP06" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-06.01B" ], "SecNumCloud-3.2": [ "9.3" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1", "ra_1", "ac_1", "ac_4", "ac_6", "ac_7", "ip_1" ], "ENS-RD2022": [ "op.acc.4.aws.iam.1", "op.acc.4.aws.iam.2", "op.exp.8.r4.aws.ct.8", "op.exp.8.r4.aws.ct.1" ], "MITRE-ATTACK": [ "T1078", "T1648", "T1098", "T1578", "T1550", "T1606", "T1040", "T1580", "T1619", "T1201" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Customer-managed IAM policies** are evaluated for **permissions that enable privilege escalation**, including creating or updating policies, altering role trust, attaching higher-privilege policies, or using `iam:PassRole` to obtain broader access.", "title": "Customer managed IAM policy does not allow actions that can lead to privilege escalation", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_policy_allows_privilege_escalation-211203495394-us-east-1-CN03PeeringGuardrail" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "CN03PeeringGuardrail", "arn": "arn:aws:iam::211203495394:policy/CN03PeeringGuardrail", "entity": "ANPATCLFVSXRKM5643AGY", "version_id": "v1", "type": "Custom", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyPeeringFromNonAllowlistedRequesterVpc", "Effect": "Deny", "Action": "ec2:CreateVpcPeeringConnection", "Resource": "*", "Condition": { "Null": { "ec2:RequesterVpc": "false" }, "ArnEquals": { "ec2:AccepterVpc": [ "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-0232d940ac1e052fc" ] }, "ArnNotEquals": { "ec2:RequesterVpc": [ "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-00edf4476fa81d898", "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-035f0b812cb80ea99" ] } } } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "CN03PeeringGuardrail", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:policy/CN03PeeringGuardrail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** to customer policies:\n- Avoid wildcards in `Action` and `Resource`\n- Remove or tightly scope `iam:PassRole`, policy attach/update, and trust-policy changes\n- Use conditions like `iam:PassedToService` and tags to constrain use\n- Enforce **permissions boundaries** and **SCPs**\n- Separate duties with change review", "references": [ "https://hub.prowler.com/check/iam_policy_allows_privilege_escalation" ] }, "risk_details": "**Privilege-escalation permissions** let principals assume higher-privilege roles or attach admin policies, impacting:\n- **Confidentiality** via unauthorized data access/exfiltration\n- **Integrity** by modifying policies, configs, or logs\n- **Availability** through resource deletion or disabling controls", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "User terraform-user has the policy AdministratorAccess attached.", "metadata": { "event_code": "iam_policy_attached_only_to_group_or_roles", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "User terraform-user has the policy AdministratorAccess attached.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" ], "notes": "CAF Security Epic: IAM", "compliance": { "NIS2": [ "1.2.1", "2.1.2.f", "11.2.2.a" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-3" ], "CIS-6.0": [ "2.14" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam", "ksi-iam-07" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_6", "ac_2_i_2", "ac_3", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_7", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_6", "ac_6_3", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "mp_2", "sc_23_3" ], "AWS-Foundational-Technical-Review": [ "IAM-006", "IAM-0012" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR04", "CCC.Core.CN05.AR06" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_1" ], "CIS-2.0": [ "1.15" ], "CSA-CCM-4.0": [ "IAM-04", "IAM-09" ], "PCI-4.0": [ "7.2.1.12", "7.2.1.13", "7.2.2.12", "7.2.2.13", "7.2.5.8", "7.2.5.9", "7.3.1.8", "7.3.1.9", "7.3.2.8", "7.3.2.9", "7.3.3.8", "7.3.3.9", "8.2.1.3", "8.2.2.5", "8.2.4.3", "8.2.5.3", "8.2.7.8", "8.2.7.9", "8.2.8.10", "8.2.8.11", "8.3.11.3", "8.3.4.8", "8.3.4.9" ], "FFIEC": [ "d3-pc-am-b-1", "d3-pc-im-b-7" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.2.1", "1.2.2" ], "CIS-4.0.1": [ "1.15" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP06" ], "CIS-3.0": [ "1.15" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.6", "2.10.2" ], "SOC2": [ "cc_1_3" ], "C5-2025": [ "IAM-01.01B", "IAM-01.04B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.5.15" ], "SecNumCloud-3.2": [ "9.1" ], "CIS-1.4": [ "1.15" ], "NIST-800-53-Revision-4": [ "ac_6" ], "CIS-5.0": [ "1.14" ], "CIS-1.5": [ "1.15" ], "AWS-Account-Security-Onboarding": [ "Predefine IAM Roles" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1", "am_6", "ac_1", "ac_4", "ac_6", "ac_7", "ip_1" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-3", "ac-5-c", "sc-2" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g" ], "NIST-800-171-Revision-2": [ "3_4_6" ], "ENS-RD2022": [ "op.exp.8.r4.aws.ct.8", "op.exp.8.r4.aws.ct.1" ], "ISO27001-2013": [ "A.9.2.I", "A.9.4.I" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM users** have identity-based policies attached directly (managed or inline) instead of inheriting permissions via **groups** or **roles**.", "title": "IAM user has no inline or attached policies", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_policy_attached_only_to_group_or_roles-211203495394-us-east-1-terraform-user/AdministratorAccess" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "terraform-user", "arn": "arn:aws:iam::211203495394:user/terraform-user", "mfa_devices": [], "password_last_used": null, "console_access": false, "attached_policies": [ { "PolicyName": "AdministratorAccess", "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess" } ], "inline_policies": [], "tags": [ { "Key": "CCC_INFRA_DONT_DELETE", "Value": "True" }, { "Key": "Preexisting", "Value": "20251012" } ] } }, "group": { "name": "iam" }, "labels": [ "CCC_INFRA_DONT_DELETE:True", "Preexisting:20251012" ], "name": "terraform-user/AdministratorAccess", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:user/terraform-user" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Assign permissions to **groups** (humans) and **roles** (workloads); avoid user-attached policies. Enforce **least privilege**, prefer federation and temporary credentials, and use tags or **permissions boundaries** to constrain scope. Review regularly to remove direct user policies and right-size access.", "references": [ "https://hub.prowler.com/check/iam_policy_attached_only_to_group_or_roles" ] }, "risk_details": "Directly attached user policies hinder centralized control and cause privilege creep. If a user is compromised, excessive rights enable data exposure, resource tampering, and lateral movement, harming **confidentiality** and **integrity**. Revocation is error-prone, weakening **separation of duties** and auditability.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS CloudShellFullAccess policy is not attached to any IAM entity.", "metadata": { "event_code": "iam_policy_cloudshell_admin_not_attached", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "AWS CloudShellFullAccess policy is not attached to any IAM entity.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-27", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/unapproved-iam-policy-in-use.html", "https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-blacklisted-check.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html", "https://icompaas.freshdesk.com/support/solutions/articles/62000233099-1-22-restrict-access-to-awscloudshellfullaccess-manual-" ], "notes": "", "compliance": { "NIS2": [ "1.2.1" ], "CIS-6.0": [ "2.21" ], "CIS-2.0": [ "1.22" ], "PCI-4.0": [ "7.2.1.14", "7.2.1.15", "7.2.1.16", "7.2.2.14", "7.2.2.15", "7.2.2.16", "7.2.3.7", "7.2.5.10", "7.2.5.11", "7.2.5.12", "7.3.1.10", "7.3.1.11", "7.3.1.12", "7.3.2.10", "7.3.2.11", "7.3.2.12", "7.3.3.10", "7.3.3.11", "7.3.3.12", "8.2.7.10", "8.2.7.11", "8.2.7.12", "8.2.8.12", "8.2.8.13", "8.2.8.14", "8.3.4.10", "8.3.4.11", "8.3.4.12" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.3.2" ], "CIS-4.0.1": [ "1.22" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "OIS-02.01B", "SP-01.04B", "HR-01.01B", "IAM-01.01B", "IAM-01.04B", "IAM-06.01B" ], "CIS-5.0": [ "1.21" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM identities** with the AWS managed policy `AWSCloudShellFullAccess` attached are identified across users, groups, and roles.\n\nThis indicates principals are granted `cloudshell:*` on `*`, enabling full CloudShell features, including environment startup and file transfer.", "title": "No IAM users, groups, or roles have the AWSCloudShellFullAccess policy attached", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-iam_policy_cloudshell_admin_not_attached-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "Users": [], "Groups": [], "Roles": [] } }, "group": { "name": "iam" }, "labels": [], "name": "211203495394", "type": "AwsIamPolicy", "uid": "arn:aws:iam::aws:policy/AWSCloudShellFullAccess" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Detach `AWSCloudShellFullAccess` from identities.\n\nApply **least privilege**: permit CloudShell only when necessary via narrowly scoped permissions, restricted roles, short-lived sessions, and approvals. Prefer controlled alternatives (local CLI, bastion, or Session Manager). Enforce **separation of duties** and monitor usage.", "references": [ "https://hub.prowler.com/check/iam_policy_cloudshell_admin_not_attached" ] }, "risk_details": "Granting `cloudshell:*` enables an interactive shell with Internet egress and file upload/download, degrading **confidentiality** and **integrity**.\n\nCompromised principals can exfiltrate data, stage tooling with sudo, persist artifacts in CloudShell, and operate from AWS IP space to bypass endpoint controls.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Custom Policy CN03PeeringGuardrail does not allow 'cloudtrail:*' privileges.", "metadata": { "event_code": "iam_policy_no_full_access_to_cloudtrail", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Custom Policy CN03PeeringGuardrail does not allow 'cloudtrail:*' privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://support.icompaas.com/support/solutions/articles/62000233808-ensure-iam-policies-that-allow-full-cloudtrail-privileges-are-not-created" ], "notes": "", "compliance": { "NIS2": [ "11.2.2.a" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR02", "CCC.Core.CN05.AR04", "CCC.IAM.CN04.AR01" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "SOC2": [ "cc_3_3" ], "C5-2025": [ "IAM-10.01B", "SIM-03.07B" ], "NIST-CSF-2.0": [ "rr_1", "po_1", "ac_1", "ac_4" ], "ENS-RD2022": [ "op.exp.8.r4.aws.ct.1" ], "MITRE-ATTACK": [ "T1078", "T1648", "T1098", "T1578", "T1550", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Custom IAM policies are reviewed for statements that grant **full CloudTrail access** via the `cloudtrail:*` wildcard, indicating unrestricted permission to all CloudTrail actions.", "title": "Customer managed IAM policy does not allow cloudtrail:* privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Defense Evasion" ], "uid": "prowler-aws-iam_policy_no_full_access_to_cloudtrail-211203495394-us-east-1-CN03PeeringGuardrail" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "CN03PeeringGuardrail", "arn": "arn:aws:iam::211203495394:policy/CN03PeeringGuardrail", "entity": "ANPATCLFVSXRKM5643AGY", "version_id": "v1", "type": "Custom", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyPeeringFromNonAllowlistedRequesterVpc", "Effect": "Deny", "Action": "ec2:CreateVpcPeeringConnection", "Resource": "*", "Condition": { "Null": { "ec2:RequesterVpc": "false" }, "ArnEquals": { "ec2:AccepterVpc": [ "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-0232d940ac1e052fc" ] }, "ArnNotEquals": { "ec2:RequesterVpc": [ "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-00edf4476fa81d898", "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-035f0b812cb80ea99" ] } } } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "CN03PeeringGuardrail", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:policy/CN03PeeringGuardrail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege**: avoid `cloudtrail:*` and allow only required actions.\n\nEnforce **separation of duties** for trail management. Use **permissions boundaries** or **SCPs** to block broad CloudTrail access, and validate policies regularly to refine scopes.", "references": [ "https://hub.prowler.com/check/iam_policy_no_full_access_to_cloudtrail" ] }, "risk_details": "Unrestricted CloudTrail control lets principals stop or alter logging, delete or modify trails, and query events.\n\nThis enables log evasion, audit tampering, and reconnaissance, undermining the **integrity**, **availability**, and **confidentiality** of audit evidence and detection.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Custom Policy CN03PeeringGuardrail does not allow 'kms:*' privileges.", "metadata": { "event_code": "iam_policy_no_full_access_to_kms", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "Custom Policy CN03PeeringGuardrail does not allow 'kms:*' privileges.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://docs.aws.amazon.com/it_it/prescriptive-guidance/latest/encryption-best-practices/kms.html" ], "notes": "", "compliance": { "NIS2": [ "11.2.2.a" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "CCC-v2025.10": [ "CCC.Core.CN11.AR04", "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR02", "CCC.Core.CN05.AR04", "CCC.ObjStor.CN01.AR01", "CCC.ObjStor.CN01.AR02", "CCC.ObjStor.CN01.AR03", "CCC.ObjStor.CN01.AR04", "CCC.KeyMgmt.CN02.AR01", "CCC.IAM.CN04.AR01" ], "PCI-4.0": [ "3.5.1.1.7", "3.5.1.3.15", "3.6.1.2.7", "3.6.1.3.7", "3.6.1.4.7", "3.6.1.7", "3.7.1.8", "3.7.2.7", "3.7.4.8", "3.7.6.7", "3.7.7.7", "4.2.1.1.20", "7.2.1.9", "7.2.2.9", "7.2.3.5", "7.2.5.5", "7.3.1.5", "7.3.2.5", "7.3.3.5", "8.2.7.5", "8.2.8.7", "8.3.4.5" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "OIS-08.02B", "IAM-10.01B", "CRY-05.02B" ], "NIST-CSF-2.0": [ "rr_1", "po_1", "ac_1", "ac_4" ], "ENS-RD2022": [ "op.exp.10.aws.cmk.1", "op.exp.10.aws.cmk.2" ], "MITRE-ATTACK": [ "T1078", "T1648", "T1098", "T1578", "T1550", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Customer-managed IAM policies** are examined for statements that grant **AWS KMS** full access using `kms:*`. The focus is on policies allowing service-wide actions rather than narrowly scoped, key-specific permissions.", "title": "Custom IAM policy does not allow 'kms:*' privileges", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "Effects/Data Exposure", "Effects/Data Destruction", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_policy_no_full_access_to_kms-211203495394-us-east-1-CN03PeeringGuardrail" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "CN03PeeringGuardrail", "arn": "arn:aws:iam::211203495394:policy/CN03PeeringGuardrail", "entity": "ANPATCLFVSXRKM5643AGY", "version_id": "v1", "type": "Custom", "attached": true, "document": { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyPeeringFromNonAllowlistedRequesterVpc", "Effect": "Deny", "Action": "ec2:CreateVpcPeeringConnection", "Resource": "*", "Condition": { "Null": { "ec2:RequesterVpc": "false" }, "ArnEquals": { "ec2:AccepterVpc": [ "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-0232d940ac1e052fc" ] }, "ArnNotEquals": { "ec2:RequesterVpc": [ "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-00edf4476fa81d898", "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-035f0b812cb80ea99" ] } } } ] }, "tags": [] } }, "group": { "name": "iam" }, "labels": [], "name": "CN03PeeringGuardrail", "type": "AwsIamPolicy", "uid": "arn:aws:iam::211203495394:policy/CN03PeeringGuardrail" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Adopt **least privilege** and **separation of duties**:\n- Replace `kms:*` with only needed actions scoped to specific key ARNs\n- Apply policy conditions (e.g., `kms:ViaService`) and guardrails (permissions boundaries/SCPs)\n- Monitor KMS usage and refine access based on activity", "references": [ "https://hub.prowler.com/check/iam_policy_no_full_access_to_kms" ] }, "risk_details": "Allowing `kms:*` lets principals decrypt data, change key policies, and disable or delete keys. Impact: **Confidentiality**-unauthorized decryption; **Integrity**-manipulation of cryptographic controls; **Availability**-data unreadable if keys are disabled/deleted. It can also enable privilege escalation.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Role TerraformRole has AdministratorAccess policy attached.", "metadata": { "event_code": "iam_role_administratoraccess_policy", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "IAM Role TerraformRole has AdministratorAccess policy attached.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator", "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege" ], "notes": "CAF Security Epic: IAM", "compliance": { "NIS2": [ "1.2.1", "11.3.1" ], "AWS-Foundational-Technical-Review": [ "IAM-0012" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR02", "CCC.Vector.CN02.AR01" ], "CSA-CCM-4.0": [ "IAM-05", "IAM-09" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "OIS-02.01B", "OIS-04.03B", "SP-01.04B", "HR-01.01B", "HR-04.01B", "IAM-01.01B", "IAM-01.04B", "IAM-03.01B", "IAM-06.01B", "IAM-10.01B" ], "SecNumCloud-3.2": [ "9.3" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1", "ac_1", "ac_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM roles** (excluding service roles) are evaluated for attachment of the AWS-managed `AdministratorAccess` policy.\n\nAttachment indicates the role holds unrestricted permissions across services and resources.", "title": "IAM role does not have AdministratorAccess policy attached", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_role_administratoraccess_policy-211203495394-us-east-1-TerraformRole" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "TerraformRole", "arn": "arn:aws:iam::211203495394:role/TerraformRole", "assume_role_policy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::211203495394:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" }, "StringLike": { "token.actions.githubusercontent.com:sub": [ "repo:finos-labs/ccc-cfi-compliance:ref:refs/heads/*", "repo:finos-labs/ccc-cfi-compliance:ref:refs/tags/*", "repo:finos-labs/ccc-cfi-compliance:pull_request", "repo:finos-labs/ccc-cfi-compliance:environment:*" ] } } } ] }, "is_service_role": false, "attached_policies": [ { "PolicyName": "CN03PeeringGuardrail", "PolicyArn": "arn:aws:iam::211203495394:policy/CN03PeeringGuardrail" }, { "PolicyName": "AdministratorAccess", "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess" } ], "inline_policies": [], "tags": [ { "Key": "CCC_INFRA_DONT_DELETE", "Value": "True" }, { "Key": "Preexisting", "Value": "20251012" } ] } }, "group": { "name": "iam" }, "labels": [ "CCC_INFRA_DONT_DELETE:True", "Preexisting:20251012" ], "name": "TerraformRole", "type": "AwsIamRole", "uid": "arn:aws:iam::211203495394:role/TerraformRole" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege**: avoid attaching `AdministratorAccess` to roles. Grant only task-scoped permissions with custom policies and enforce **separation of duties**.\n\nUse **permissions boundaries**, **SCPs**, and policy conditions to constrain power. Require MFA for break-glass admins, time-bound elevation with approval, and refine access using **Access Analyzer**.", "references": [ "https://hub.prowler.com/check/iam_role_administratoraccess_policy" ] }, "risk_details": "Granting full administrative permissions on a role undermines confidentiality, integrity, and availability. If the role is assumed or its credentials are stolen, an attacker can read sensitive data, change policies, disable auditing, delete resources and backups, and create new privileged identities, enabling swift account takeover.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Role TerraformRole does not have ReadOnlyAccess policy.", "metadata": { "event_code": "iam_role_cross_account_readonlyaccess_policy", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "IAM Role TerraformRole does not have ReadOnlyAccess policy.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "trust-boundaries", "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#awsmp_readonlyaccess", "https://support.icompaas.com/support/solutions/articles/62000233802-ensure-iam-roles-do-not-have-readonlyaccess-access-for-external-aws-accounts" ], "notes": "CAF Security Epic: IAM", "compliance": { "AWS-Foundational-Technical-Review": [ "IAM-0012" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR03", "CCC.Core.CN05.AR06", "CCC.IAM.CN03.AR01", "CCC.IAM.CN03.AR02" ], "CSA-CCM-4.0": [ "IAM-10" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.6", "2.10.2" ], "C5-2025": [ "OIS-04.03B", "IAM-01.01B", "IAM-01.04B", "IAM-06.02B", "IAM-10.01B", "PSS-09.01AC" ], "NIST-CSF-2.0": [ "rr_2", "am_6", "ac_6" ], "MITRE-ATTACK": [ "T1078" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM roles** are assessed for the AWS-managed **ReadOnlyAccess** policy combined with a trust policy that allows **external AWS principals** or `*`. This identifies roles that expose broad read permissions to other accounts.", "title": "IAM role does not grant ReadOnlyAccess to external AWS accounts", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Initial Access/Unauthorized Access", "Effects/Data Exposure" ], "uid": "prowler-aws-iam_role_cross_account_readonlyaccess_policy-211203495394-us-east-1-TerraformRole" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "TerraformRole", "arn": "arn:aws:iam::211203495394:role/TerraformRole", "assume_role_policy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::211203495394:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" }, "StringLike": { "token.actions.githubusercontent.com:sub": [ "repo:finos-labs/ccc-cfi-compliance:ref:refs/heads/*", "repo:finos-labs/ccc-cfi-compliance:ref:refs/tags/*", "repo:finos-labs/ccc-cfi-compliance:pull_request", "repo:finos-labs/ccc-cfi-compliance:environment:*" ] } } } ] }, "is_service_role": false, "attached_policies": [ { "PolicyName": "CN03PeeringGuardrail", "PolicyArn": "arn:aws:iam::211203495394:policy/CN03PeeringGuardrail" }, { "PolicyName": "AdministratorAccess", "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess" } ], "inline_policies": [], "tags": [ { "Key": "CCC_INFRA_DONT_DELETE", "Value": "True" }, { "Key": "Preexisting", "Value": "20251012" } ] } }, "group": { "name": "iam" }, "labels": [ "CCC_INFRA_DONT_DELETE:True", "Preexisting:20251012" ], "name": "TerraformRole", "type": "AwsIamRole", "uid": "arn:aws:iam::211203495394:role/TerraformRole" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Avoid attaching `ReadOnlyAccess` to roles trusted by other accounts. Apply **least privilege** with custom, tightly scoped policies. Restrict trust to explicit principals, avoid `*`, and use conditions like `aws:PrincipalOrgID` and `sts:ExternalId` for **defense in depth**.", "references": [ "https://hub.prowler.com/check/iam_role_cross_account_readonlyaccess_policy" ] }, "risk_details": "Granting **cross-account read access** can expose sensitive data and metadata, impacting **confidentiality**. External principals can read S3/DynamoDB contents and enumerate resources, policies, and logs, enabling targeted recon and easier **privilege escalation** paths.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Service Role cfi-1776042944-cn04-flowlogs-role does not prevent against a cross-service confused deputy attack.", "metadata": { "event_code": "iam_role_cross_service_confused_deputy_prevention", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "IAM Service Role cfi-1776042944-cn04-flowlogs-role does not prevent against a cross-service confused deputy attack.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html", "https://aws.amazon.com/blogs/security/how-to-set-up-least-privilege-access-to-your-encrypted-amazon-sqs-queue/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention", "https://docs.aws.amazon.com/textract/latest/dg/cross-service-confused-deputy-prevention.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.c", "6.8.2.a" ], "AWS-Foundational-Technical-Review": [ "IAM-0012" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR03", "CCC.Core.CN05.AR06", "CCC.IAM.CN03.AR01", "CCC.IAM.CN03.AR02" ], "CSA-CCM-4.0": [ "IAM-10" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.6", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP04" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.01B", "IAM-01.04B" ], "AWS-Account-Security-Onboarding": [ "Predefine IAM Roles" ], "ENS-RD2022": [ "op.exp.8.r4.aws.ct.8", "op.exp.8.r4.aws.ct.1" ], "MITRE-ATTACK": [ "T1078" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM service role** trust policies restrict **AWS service principals** to expected sources using global condition keys like `aws:SourceArn` or `aws:SourceAccount`, avoiding overly broad `sts:AssumeRole` trust relationships.", "title": "IAM service role prevents cross-service confused deputy attack", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_role_cross_service_confused_deputy_prevention-211203495394-us-east-1-cfi-1776042944-cn04-flowlogs-role" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776042944-cn04-flowlogs-role", "arn": "arn:aws:iam::211203495394:role/cfi-1776042944-cn04-flowlogs-role", "assume_role_policy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "is_service_role": true, "attached_policies": [], "inline_policies": [ "cfi-1776042944-cn04-flowlogs-role-policy" ], "tags": [ { "Key": "Environment", "Value": "cfi-test" }, { "Key": "CFIControl", "Value": "CCC.VPC.CN04" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "team", "Value": "cfi-team" }, { "Key": "AutoCleanup", "Value": "true" }, { "Key": "Name", "Value": "cfi-1776042944-vpc-cn04-flow-logs-role" }, { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" } ] } }, "group": { "name": "iam" }, "labels": [ "Environment:cfi-test", "CFIControl:CCC.VPC.CN04", "Owner:cfi-owner", "team:cfi-team", "AutoCleanup:true", "Name:cfi-1776042944-vpc-cn04-flow-logs-role", "ManagedBy:Terraform", "Project:CCC-CFI-Compliance" ], "name": "cfi-1776042944-cn04-flowlogs-role", "type": "AwsIamRole", "uid": "arn:aws:iam::211203495394:role/cfi-1776042944-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Constrain service-role trust to expected callers using `aws:SourceArn`/`aws:SourceAccount` to bind service principals to specific resources or accounts. If unsupported, apply equivalent limits in resource-based policies or org-level controls. Apply **least privilege** and review trust relationships regularly.", "references": [ "https://hub.prowler.com/check/iam_role_cross_service_confused_deputy_prevention" ] }, "risk_details": "Unrestricted service-principal trust lets outsiders trigger a **cross-service confused deputy**, causing unintended `sts:AssumeRole`.\nThis can enable data exfiltration, unauthorized changes, and lateral movement, impacting **confidentiality** and **integrity**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Service Role cfi-1776043129-cn04-flowlogs-role does not prevent against a cross-service confused deputy attack.", "metadata": { "event_code": "iam_role_cross_service_confused_deputy_prevention", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "IAM Service Role cfi-1776043129-cn04-flowlogs-role does not prevent against a cross-service confused deputy attack.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html", "https://aws.amazon.com/blogs/security/how-to-set-up-least-privilege-access-to-your-encrypted-amazon-sqs-queue/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention", "https://docs.aws.amazon.com/textract/latest/dg/cross-service-confused-deputy-prevention.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.c", "6.8.2.a" ], "AWS-Foundational-Technical-Review": [ "IAM-0012" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR03", "CCC.Core.CN05.AR06", "CCC.IAM.CN03.AR01", "CCC.IAM.CN03.AR02" ], "CSA-CCM-4.0": [ "IAM-10" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.6", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP04" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.01B", "IAM-01.04B" ], "AWS-Account-Security-Onboarding": [ "Predefine IAM Roles" ], "ENS-RD2022": [ "op.exp.8.r4.aws.ct.8", "op.exp.8.r4.aws.ct.1" ], "MITRE-ATTACK": [ "T1078" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM service role** trust policies restrict **AWS service principals** to expected sources using global condition keys like `aws:SourceArn` or `aws:SourceAccount`, avoiding overly broad `sts:AssumeRole` trust relationships.", "title": "IAM service role prevents cross-service confused deputy attack", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_role_cross_service_confused_deputy_prevention-211203495394-us-east-1-cfi-1776043129-cn04-flowlogs-role" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776043129-cn04-flowlogs-role", "arn": "arn:aws:iam::211203495394:role/cfi-1776043129-cn04-flowlogs-role", "assume_role_policy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "is_service_role": true, "attached_policies": [], "inline_policies": [ "cfi-1776043129-cn04-flowlogs-role-policy" ], "tags": [ { "Key": "Environment", "Value": "cfi-test" }, { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "AutoCleanup", "Value": "true" }, { "Key": "Name", "Value": "cfi-1776043129-vpc-cn04-flow-logs-role" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "team", "Value": "cfi-team" }, { "Key": "CFIControl", "Value": "CCC.VPC.CN04" } ] } }, "group": { "name": "iam" }, "labels": [ "Environment:cfi-test", "ManagedBy:Terraform", "AutoCleanup:true", "Name:cfi-1776043129-vpc-cn04-flow-logs-role", "Owner:cfi-owner", "Project:CCC-CFI-Compliance", "team:cfi-team", "CFIControl:CCC.VPC.CN04" ], "name": "cfi-1776043129-cn04-flowlogs-role", "type": "AwsIamRole", "uid": "arn:aws:iam::211203495394:role/cfi-1776043129-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Constrain service-role trust to expected callers using `aws:SourceArn`/`aws:SourceAccount` to bind service principals to specific resources or accounts. If unsupported, apply equivalent limits in resource-based policies or org-level controls. Apply **least privilege** and review trust relationships regularly.", "references": [ "https://hub.prowler.com/check/iam_role_cross_service_confused_deputy_prevention" ] }, "risk_details": "Unrestricted service-principal trust lets outsiders trigger a **cross-service confused deputy**, causing unintended `sts:AssumeRole`.\nThis can enable data exfiltration, unauthorized changes, and lateral movement, impacting **confidentiality** and **integrity**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Service Role cfi-1776043305-cn04-flowlogs-role does not prevent against a cross-service confused deputy attack.", "metadata": { "event_code": "iam_role_cross_service_confused_deputy_prevention", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "IAM Service Role cfi-1776043305-cn04-flowlogs-role does not prevent against a cross-service confused deputy attack.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html", "https://aws.amazon.com/blogs/security/how-to-set-up-least-privilege-access-to-your-encrypted-amazon-sqs-queue/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention", "https://docs.aws.amazon.com/textract/latest/dg/cross-service-confused-deputy-prevention.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.c", "6.8.2.a" ], "AWS-Foundational-Technical-Review": [ "IAM-0012" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR03", "CCC.Core.CN05.AR06", "CCC.IAM.CN03.AR01", "CCC.IAM.CN03.AR02" ], "CSA-CCM-4.0": [ "IAM-10" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.6", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP04" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.01B", "IAM-01.04B" ], "AWS-Account-Security-Onboarding": [ "Predefine IAM Roles" ], "ENS-RD2022": [ "op.exp.8.r4.aws.ct.8", "op.exp.8.r4.aws.ct.1" ], "MITRE-ATTACK": [ "T1078" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM service role** trust policies restrict **AWS service principals** to expected sources using global condition keys like `aws:SourceArn` or `aws:SourceAccount`, avoiding overly broad `sts:AssumeRole` trust relationships.", "title": "IAM service role prevents cross-service confused deputy attack", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_role_cross_service_confused_deputy_prevention-211203495394-us-east-1-cfi-1776043305-cn04-flowlogs-role" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776043305-cn04-flowlogs-role", "arn": "arn:aws:iam::211203495394:role/cfi-1776043305-cn04-flowlogs-role", "assume_role_policy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "is_service_role": true, "attached_policies": [], "inline_policies": [ "cfi-1776043305-cn04-flowlogs-role-policy" ], "tags": [ { "Key": "AutoCleanup", "Value": "true" }, { "Key": "Environment", "Value": "cfi-test" }, { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "CFIControl", "Value": "CCC.VPC.CN04" }, { "Key": "Name", "Value": "cfi-1776043305-vpc-cn04-flow-logs-role" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "team", "Value": "cfi-team" } ] } }, "group": { "name": "iam" }, "labels": [ "AutoCleanup:true", "Environment:cfi-test", "ManagedBy:Terraform", "Owner:cfi-owner", "CFIControl:CCC.VPC.CN04", "Name:cfi-1776043305-vpc-cn04-flow-logs-role", "Project:CCC-CFI-Compliance", "team:cfi-team" ], "name": "cfi-1776043305-cn04-flowlogs-role", "type": "AwsIamRole", "uid": "arn:aws:iam::211203495394:role/cfi-1776043305-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Constrain service-role trust to expected callers using `aws:SourceArn`/`aws:SourceAccount` to bind service principals to specific resources or accounts. If unsupported, apply equivalent limits in resource-based policies or org-level controls. Apply **least privilege** and review trust relationships regularly.", "references": [ "https://hub.prowler.com/check/iam_role_cross_service_confused_deputy_prevention" ] }, "risk_details": "Unrestricted service-principal trust lets outsiders trigger a **cross-service confused deputy**, causing unintended `sts:AssumeRole`.\nThis can enable data exfiltration, unauthorized changes, and lateral movement, impacting **confidentiality** and **integrity**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Service Role cfi-1776044303-cn04-flowlogs-role does not prevent against a cross-service confused deputy attack.", "metadata": { "event_code": "iam_role_cross_service_confused_deputy_prevention", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "IAM Service Role cfi-1776044303-cn04-flowlogs-role does not prevent against a cross-service confused deputy attack.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html", "https://aws.amazon.com/blogs/security/how-to-set-up-least-privilege-access-to-your-encrypted-amazon-sqs-queue/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention", "https://docs.aws.amazon.com/textract/latest/dg/cross-service-confused-deputy-prevention.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.c", "6.8.2.a" ], "AWS-Foundational-Technical-Review": [ "IAM-0012" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR03", "CCC.Core.CN05.AR06", "CCC.IAM.CN03.AR01", "CCC.IAM.CN03.AR02" ], "CSA-CCM-4.0": [ "IAM-10" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.6", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP04" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.01B", "IAM-01.04B" ], "AWS-Account-Security-Onboarding": [ "Predefine IAM Roles" ], "ENS-RD2022": [ "op.exp.8.r4.aws.ct.8", "op.exp.8.r4.aws.ct.1" ], "MITRE-ATTACK": [ "T1078" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM service role** trust policies restrict **AWS service principals** to expected sources using global condition keys like `aws:SourceArn` or `aws:SourceAccount`, avoiding overly broad `sts:AssumeRole` trust relationships.", "title": "IAM service role prevents cross-service confused deputy attack", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_role_cross_service_confused_deputy_prevention-211203495394-us-east-1-cfi-1776044303-cn04-flowlogs-role" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-1776044303-cn04-flowlogs-role", "arn": "arn:aws:iam::211203495394:role/cfi-1776044303-cn04-flowlogs-role", "assume_role_policy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "is_service_role": true, "attached_policies": [], "inline_policies": [ "cfi-1776044303-cn04-flowlogs-role-policy" ], "tags": [ { "Key": "Name", "Value": "cfi-1776044303-vpc-cn04-flow-logs-role" }, { "Key": "AutoCleanup", "Value": "true" }, { "Key": "Environment", "Value": "cfi-test" }, { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "team", "Value": "cfi-team" }, { "Key": "CFIControl", "Value": "CCC.VPC.CN04" } ] } }, "group": { "name": "iam" }, "labels": [ "Name:cfi-1776044303-vpc-cn04-flow-logs-role", "AutoCleanup:true", "Environment:cfi-test", "ManagedBy:Terraform", "Owner:cfi-owner", "Project:CCC-CFI-Compliance", "team:cfi-team", "CFIControl:CCC.VPC.CN04" ], "name": "cfi-1776044303-cn04-flowlogs-role", "type": "AwsIamRole", "uid": "arn:aws:iam::211203495394:role/cfi-1776044303-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Constrain service-role trust to expected callers using `aws:SourceArn`/`aws:SourceAccount` to bind service principals to specific resources or accounts. If unsupported, apply equivalent limits in resource-based policies or org-level controls. Apply **least privilege** and review trust relationships regularly.", "references": [ "https://hub.prowler.com/check/iam_role_cross_service_confused_deputy_prevention" ] }, "risk_details": "Unrestricted service-principal trust lets outsiders trigger a **cross-service confused deputy**, causing unintended `sts:AssumeRole`.\nThis can enable data exfiltration, unauthorized changes, and lateral movement, impacting **confidentiality** and **integrity**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM Service Role cfi-20260413t013134z-cn04-flowlogs-role does not prevent against a cross-service confused deputy attack.", "metadata": { "event_code": "iam_role_cross_service_confused_deputy_prevention", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "IAM Service Role cfi-20260413t013134z-cn04-flowlogs-role does not prevent against a cross-service confused deputy attack.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "trust-boundaries" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html", "https://aws.amazon.com/blogs/security/how-to-set-up-least-privilege-access-to-your-encrypted-amazon-sqs-queue/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention", "https://docs.aws.amazon.com/textract/latest/dg/cross-service-confused-deputy-prevention.html" ], "notes": "", "compliance": { "NIS2": [ "3.1.2.c", "6.8.2.a" ], "AWS-Foundational-Technical-Review": [ "IAM-0012" ], "CCC-v2025.10": [ "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR03", "CCC.Core.CN05.AR06", "CCC.IAM.CN03.AR01", "CCC.IAM.CN03.AR02" ], "CSA-CCM-4.0": [ "IAM-10" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.6", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP04" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.6", "2.10.2" ], "C5-2025": [ "IAM-01.01B", "IAM-01.04B" ], "AWS-Account-Security-Onboarding": [ "Predefine IAM Roles" ], "ENS-RD2022": [ "op.exp.8.r4.aws.ct.8", "op.exp.8.r4.aws.ct.1" ], "MITRE-ATTACK": [ "T1078" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM service role** trust policies restrict **AWS service principals** to expected sources using global condition keys like `aws:SourceArn` or `aws:SourceAccount`, avoiding overly broad `sts:AssumeRole` trust relationships.", "title": "IAM service role prevents cross-service confused deputy attack", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_role_cross_service_confused_deputy_prevention-211203495394-us-east-1-cfi-20260413t013134z-cn04-flowlogs-role" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "cfi-20260413t013134z-cn04-flowlogs-role", "arn": "arn:aws:iam::211203495394:role/cfi-20260413t013134z-cn04-flowlogs-role", "assume_role_policy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "is_service_role": true, "attached_policies": [], "inline_policies": [ "cfi-20260413t013134z-cn04-flowlogs-role-policy" ], "tags": [ { "Key": "team", "Value": "cfi-team" }, { "Key": "AutoCleanup", "Value": "true" }, { "Key": "Environment", "Value": "cfi-test" }, { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "Name", "Value": "cfi-20260413t013134z-vpc-cn04-flow-logs-role" }, { "Key": "CFIControl", "Value": "CCC.VPC.CN04" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" } ] } }, "group": { "name": "iam" }, "labels": [ "team:cfi-team", "AutoCleanup:true", "Environment:cfi-test", "ManagedBy:Terraform", "Owner:cfi-owner", "Name:cfi-20260413t013134z-vpc-cn04-flow-logs-role", "CFIControl:CCC.VPC.CN04", "Project:CCC-CFI-Compliance" ], "name": "cfi-20260413t013134z-cn04-flowlogs-role", "type": "AwsIamRole", "uid": "arn:aws:iam::211203495394:role/cfi-20260413t013134z-cn04-flowlogs-role" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Constrain service-role trust to expected callers using `aws:SourceArn`/`aws:SourceAccount` to bind service principals to specific resources or accounts. If unsupported, apply equivalent limits in resource-based policies or org-level controls. Apply **least privilege** and review trust relationships regularly.", "references": [ "https://hub.prowler.com/check/iam_role_cross_service_confused_deputy_prevention" ] }, "risk_details": "Unrestricted service-principal trust lets outsiders trigger a **cross-service confused deputy**, causing unintended `sts:AssumeRole`.\nThis can enable data exfiltration, unauthorized changes, and lateral movement, impacting **confidentiality** and **integrity**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Root account has a virtual MFA instead of a hardware MFA device enabled.", "metadata": { "event_code": "iam_root_hardware_mfa_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "FAIL", "status_detail": "Root account has a virtual MFA instead of a hardware MFA device enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/root-hardware-mfa.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa" ], "notes": "", "compliance": { "NIS2": [ "11.6.1", "11.7.2" ], "HIPAA": [ "164_308_a_3_ii_a", "164_312_d" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ia-2" ], "CIS-6.0": [ "2.5" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_3_2", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_7_4", "ac_7_4_a", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "ia_2_1", "ia_2_2", "ia_2_6", "ia_2_6_a", "ia_2_8", "sc_23_3" ], "AWS-Foundational-Technical-Review": [ "ARC-003", "IAM-001", "IAM-0012" ], "CCC-v2025.10": [ "CCC.Core.CN03.AR01", "CCC.Core.CN03.AR03", "CCC.Core.CN05.AR02", "CCC.Core.CN05.AR06" ], "CIS-2.0": [ "1.6" ], "CSA-CCM-4.0": [ "IAM-14" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-2" ], "PCI-4.0": [ "8.4.1.3", "8.4.2.3", "8.4.3.3" ], "FFIEC": [ "d3-pc-am-b-15", "d3-pc-am-b-3", "d3-pc-am-b-6" ], "KISA-ISMS-P-2023-korean": [ "2.5.3", "2.5.5", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.1.2" ], "CIS-4.0.1": [ "1.6" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC01-BP02" ], "CIS-3.0": [ "1.6" ], "KISA-ISMS-P-2023": [ "2.5.3", "2.5.5", "2.10.2" ], "C5-2025": [ "OPS-16.01B", "IAM-08.05B", "IAM-09.02B", "IAM-09.01AC", "PSS-05.01B", "PSS-07.02B" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.6" ], "SecNumCloud-3.2": [ "9.6" ], "CIS-1.4": [ "1.6" ], "NIST-800-53-Revision-4": [ "ia_2_1", "ia_2_11" ], "NIST-CSF-1.1": [ "ac_3", "ac_7" ], "CIS-5.0": [ "1.5" ], "CIS-1.5": [ "1.6" ], "AWS-Account-Security-Onboarding": [ "Root user - distribution email + MFA" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ia-2-1-2", "ia-2-1" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g", "11.200" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_5_3" ], "ENS-RD2022": [ "op.acc.6.r4.aws.iam.1" ], "MITRE-ATTACK": [ "T1078", "T1098", "T1556", "T1550", "T1110", "T1040" ], "AWS-Audit-Manager-Control-Tower-Guardrails": [ "3.0.3" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS root user** credentials are assessed for **MFA status** and device type. The check detects whether MFA is absent or implemented with a **virtual device** instead of **hardware MFA** on the root user, and notes when centralized root credential management is in effect.", "title": "Root account has a hardware MFA device enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_root_hardware_mfa_enabled-211203495394-us-east-1-" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "user": "", "arn": "arn:aws:iam::211203495394:root", "user_creation_time": "2025-10-03T16:10:08Z", "password_enabled": "true", "password_last_used": "2026-04-09T09:51:05Z", "password_last_changed": "2025-10-03T16:10:08Z", "password_next_rotation": "not_supported", "mfa_active": "true", "access_key_1_active": "false", "access_key_1_last_rotated": "N/A", "access_key_1_last_used_date": "N/A", "access_key_1_last_used_region": "N/A", "access_key_1_last_used_service": "N/A", "access_key_2_active": "false", "access_key_2_last_rotated": "N/A", "access_key_2_last_used_date": "N/A", "access_key_2_last_used_region": "N/A", "access_key_2_last_used_service": "N/A", "cert_1_active": "false", "cert_1_last_rotated": "N/A", "cert_2_active": "false", "cert_2_last_rotated": "N/A" } }, "group": { "name": "iam" }, "labels": [], "name": "", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:mfa" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Require a **hardware MFA token** for the root user and remove any virtual MFA. Apply **least privilege**: avoid using root, disable access keys, and eliminate long-term credentials. In organizations, **centralize root management**. Keep a controlled break-glass process with strict recovery checks and continuous monitoring.", "references": [ "https://hub.prowler.com/check/iam_root_hardware_mfa_enabled" ] }, "risk_details": "Without **hardware MFA** on the root user:\n- No MFA: stolen password/keys enable full account takeover.\n- Virtual MFA: device compromise or backup restoration weakens second-factor assurance.\nAn attacker could delete resources, change policies, and disable logging, harming **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "MFA is enabled for root account.", "metadata": { "event_code": "iam_root_mfa_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "PASS", "status_detail": "MFA is enabled for root account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa" ], "notes": "", "compliance": { "NIS2": [ "11.3.2.a", "11.6.1", "11.7.2" ], "HIPAA": [ "164_308_a_3_ii_a", "164_312_d" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ia-2" ], "CIS-6.0": [ "2.4" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_3_2", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_7_4", "ac_7_4_a", "ac_24", "cm_6_a", "cm_9_b", "ia_2_1", "ia_2_2", "ia_2_6", "ia_2_6_a", "ia_2_8", "sc_23_3" ], "AWS-Foundational-Technical-Review": [ "ARC-003", "IAM-001", "IAM-0012" ], "CCC-v2025.10": [ "CCC.Core.CN03.AR01", "CCC.Core.CN03.AR03", "CCC.Core.CN05.AR02", "CCC.Core.CN05.AR06" ], "CIS-2.0": [ "1.5" ], "CSA-CCM-4.0": [ "IAM-14" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-2", "booting-up-thing-to-do-first-2" ], "PCI-4.0": [ "8.4.1.4", "8.4.2.4", "8.4.3.4" ], "FFIEC": [ "d3-pc-am-b-15", "d3-pc-am-b-3", "d3-pc-am-b-6" ], "KISA-ISMS-P-2023-korean": [ "2.5.3", "2.5.5", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.1.1" ], "CIS-4.0.1": [ "1.5" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC01-BP02" ], "CIS-3.0": [ "1.5" ], "KISA-ISMS-P-2023": [ "2.5.3", "2.5.5", "2.10.2" ], "C5-2025": [ "OPS-16.01B", "IAM-04.06B", "IAM-06.09B", "IAM-08.05B", "IAM-09.02B", "IAM-09.01AC", "PSS-05.01B", "PSS-05.02B", "PSS-07.02B" ], "ISO27001-2022": [ "A.5.15", "A.5.17", "A.8.5" ], "SecNumCloud-3.2": [ "9.5" ], "CIS-1.4": [ "1.5" ], "NIST-800-53-Revision-4": [ "ac_2", "ia_2_1", "ia_2_11" ], "NIST-CSF-1.1": [ "ac_3", "ac_7" ], "CIS-5.0": [ "1.4" ], "CIS-1.5": [ "1.5" ], "AWS-Account-Security-Onboarding": [ "Root user - distribution email + MFA" ], "NIST-CSF-2.0": [ "rr_1", "po_4", "ac_1", "ac_6", "ac_7", "ip_1" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ia-2-1-2", "ia-2-1" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g", "11.200" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_5_2", "3_5_3" ], "ENS-RD2022": [ "op.acc.6.r2.aws.iam.1" ], "MITRE-ATTACK": [ "T1078", "T1098", "T1556", "T1550", "T1110", "T1040" ], "ISO27001-2013": [ "A.9.2.K", "A.9.4.K" ], "AWS-Audit-Manager-Control-Tower-Guardrails": [ "3.0.1", "3.0.2", "3.0.3" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS root user** with active credentials is assessed for **MFA activation**. The evaluation considers whether the root identity has a password or access keys and whether **MFA is enabled**.\n\n*If centralized root access is enabled in Organizations, the presence of individual root credentials is also noted.*", "title": "Root account has MFA enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_root_mfa_enabled-211203495394-us-east-1-" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "user": "", "arn": "arn:aws:iam::211203495394:root", "user_creation_time": "2025-10-03T16:10:08Z", "password_enabled": "true", "password_last_used": "2026-04-09T09:51:05Z", "password_last_changed": "2025-10-03T16:10:08Z", "password_next_rotation": "not_supported", "mfa_active": "true", "access_key_1_active": "false", "access_key_1_last_rotated": "N/A", "access_key_1_last_used_date": "N/A", "access_key_1_last_used_region": "N/A", "access_key_1_last_used_service": "N/A", "access_key_2_active": "false", "access_key_2_last_rotated": "N/A", "access_key_2_last_used_date": "N/A", "access_key_2_last_used_region": "N/A", "access_key_2_last_used_service": "N/A", "cert_1_active": "false", "cert_1_last_rotated": "N/A", "cert_2_active": "false", "cert_2_last_rotated": "N/A" } }, "group": { "name": "iam" }, "labels": [], "name": "", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:root" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enable **MFA** for the root user, preferably **hardware-based** or a dedicated, managed device. Remove root access keys and avoid using root for daily tasks. Apply **least privilege** with IAM Identity Center for admins, and use Organizations to **centralize root access** and eliminate long-lived root credentials.", "references": [ "https://hub.prowler.com/check/iam_root_mfa_enabled" ] }, "risk_details": "Without **MFA**, compromise of the root password or access keys can lead to full **account takeover**. An attacker with root can disable protections, steal or delete data, change billing, and create persistent admins, undermining confidentiality, integrity, and availability.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "User does not have access keys.", "metadata": { "event_code": "iam_rotate_access_key_90_days", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "User does not have access keys.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "secrets" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/access-keys-rotated-90-days.html" ], "notes": "", "compliance": { "NIS2": [ "1.1.1.d", "1.1.2", "2.1.4", "2.3.1", "3.1.3", "6.2.4", "9.2.c", "9.2.c.xii", "11.6.2.c" ], "HIPAA": [ "164_308_a_3_ii_c", "164_308_a_4_ii_c", "164_308_a_5_ii_d" ], "FedRAMP-Low-Revision-4": [ "ac-2" ], "CIS-6.0": [ "2.13" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam", "ksi-iam-07" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "sc_23_3" ], "AWS-Foundational-Technical-Review": [ "IAM-002", "IAM-0012" ], "CCC-v2025.10": [ "CCC.IAM.CN06.AR01" ], "CIS-2.0": [ "1.14" ], "CSA-CCM-4.0": [ "CEK-12", "IAM-08" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3" ], "PCI-4.0": [ "8.3.10.1.1", "8.3.5.1", "8.3.7.1", "8.3.9.1", "8.6.3.1" ], "FFIEC": [ "d3-pc-am-b-6" ], "KISA-ISMS-P-2023-korean": [ "2.7.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.1.11" ], "CIS-4.0.1": [ "1.14" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP02", "SEC02-BP05" ], "CIS-3.0": [ "1.14" ], "KISA-ISMS-P-2023": [ "2.7.2", "2.10.2" ], "C5-2025": [ "IAM-10.01B", "CRY-03.01B", "CRY-09.02B" ], "ISO27001-2022": [ "A.5.15" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.3" ], "SecNumCloud-3.2": [ "9.4" ], "CIS-1.4": [ "1.14" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2" ], "NIST-CSF-1.1": [ "ac_1" ], "CIS-5.0": [ "1.13" ], "CIS-1.5": [ "1.14" ], "NIST-CSF-2.0": [ "ac_6" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g", "11.200", "11.300-b" ], "ENS-RD2022": [ "op.acc.6.aws.iam.2", "op.acc.6.aws.iam.3" ], "MITRE-ATTACK": [ "T1078", "T1550", "T1110" ], "ISO27001-2013": [ "A.9.2.L", "A.9.3.I", "A.9.4.L" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM user access keys** are assessed via the credential report. For each active key, the `last_rotated` timestamp is compared to `90 days`; keys exceeding this age are identified. Users without keys or with only recent rotations are noted.", "title": "IAM user does not have active access keys older than 90 days", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_rotate_access_key_90_days-211203495394-us-east-1-" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "user": "", "arn": "arn:aws:iam::211203495394:root", "user_creation_time": "2025-10-03T16:10:08Z", "password_enabled": "true", "password_last_used": "2026-04-09T09:51:05Z", "password_last_changed": "2025-10-03T16:10:08Z", "password_next_rotation": "not_supported", "mfa_active": "true", "access_key_1_active": "false", "access_key_1_last_rotated": "N/A", "access_key_1_last_used_date": "N/A", "access_key_1_last_used_region": "N/A", "access_key_1_last_used_service": "N/A", "access_key_2_active": "false", "access_key_2_last_rotated": "N/A", "access_key_2_last_used_date": "N/A", "access_key_2_last_used_region": "N/A", "access_key_2_last_used_service": "N/A", "cert_1_active": "false", "cert_1_last_rotated": "N/A", "cert_2_active": "false", "cert_2_last_rotated": "N/A" } }, "group": { "name": "iam" }, "labels": [], "name": "", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:root" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** and limit static credentials:\n- Rotate active access keys at or before `90 days`\n- Prefer **IAM roles** with short-lived tokens\n- Maintain only one active key during rotation; delete the old one\n- Monitor `last_used` and remove dormant keys\n- Automate alerts and periodic reviews of key age", "references": [ "https://hub.prowler.com/check/iam_rotate_access_key_90_days" ] }, "risk_details": "Long-lived access keys widen the attack window. If a key is leaked in code, logs, or tooling, lack of rotation keeps it valid for abuse, enabling unauthorized API calls, data exfiltration, and tampering. This degrades **confidentiality** and **integrity** and can impact **availability** and cost through destructive or excessive operations.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "User terraform-user has not rotated access key 1 in over 90 days (188 days).", "metadata": { "event_code": "iam_rotate_access_key_90_days", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "User terraform-user has not rotated access key 1 in over 90 days (188 days).", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "secrets" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/access-keys-rotated-90-days.html" ], "notes": "", "compliance": { "NIS2": [ "1.1.1.d", "1.1.2", "2.1.4", "2.3.1", "3.1.3", "6.2.4", "9.2.c", "9.2.c.xii", "11.6.2.c" ], "HIPAA": [ "164_308_a_3_ii_c", "164_308_a_4_ii_c", "164_308_a_5_ii_d" ], "FedRAMP-Low-Revision-4": [ "ac-2" ], "CIS-6.0": [ "2.13" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam", "ksi-iam-07" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "sc_23_3" ], "AWS-Foundational-Technical-Review": [ "IAM-002", "IAM-0012" ], "CCC-v2025.10": [ "CCC.IAM.CN06.AR01" ], "CIS-2.0": [ "1.14" ], "CSA-CCM-4.0": [ "CEK-12", "IAM-08" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3" ], "PCI-4.0": [ "8.3.10.1.1", "8.3.5.1", "8.3.7.1", "8.3.9.1", "8.6.3.1" ], "FFIEC": [ "d3-pc-am-b-6" ], "KISA-ISMS-P-2023-korean": [ "2.7.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.1.11" ], "CIS-4.0.1": [ "1.14" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP02", "SEC02-BP05" ], "CIS-3.0": [ "1.14" ], "KISA-ISMS-P-2023": [ "2.7.2", "2.10.2" ], "C5-2025": [ "IAM-10.01B", "CRY-03.01B", "CRY-09.02B" ], "ISO27001-2022": [ "A.5.15" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.3" ], "SecNumCloud-3.2": [ "9.4" ], "CIS-1.4": [ "1.14" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2" ], "NIST-CSF-1.1": [ "ac_1" ], "CIS-5.0": [ "1.13" ], "CIS-1.5": [ "1.14" ], "NIST-CSF-2.0": [ "ac_6" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g", "11.200", "11.300-b" ], "ENS-RD2022": [ "op.acc.6.aws.iam.2", "op.acc.6.aws.iam.3" ], "MITRE-ATTACK": [ "T1078", "T1550", "T1110" ], "ISO27001-2013": [ "A.9.2.L", "A.9.3.I", "A.9.4.L" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM user access keys** are assessed via the credential report. For each active key, the `last_rotated` timestamp is compared to `90 days`; keys exceeding this age are identified. Users without keys or with only recent rotations are noted.", "title": "IAM user does not have active access keys older than 90 days", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_rotate_access_key_90_days-211203495394-us-east-1-terraform-user-access-key-1" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "user": "terraform-user", "arn": "arn:aws:iam::211203495394:user/terraform-user", "user_creation_time": "2025-10-06T15:56:43Z", "password_enabled": "false", "password_last_used": "N/A", "password_last_changed": "N/A", "password_next_rotation": "N/A", "mfa_active": "false", "access_key_1_active": "true", "access_key_1_last_rotated": "2025-10-06T15:57:15Z", "access_key_1_last_used_date": "2026-04-09T10:22:00Z", "access_key_1_last_used_region": "us-east-1", "access_key_1_last_used_service": "cloudtrail", "access_key_2_active": "false", "access_key_2_last_rotated": "N/A", "access_key_2_last_used_date": "N/A", "access_key_2_last_used_region": "N/A", "access_key_2_last_used_service": "N/A", "cert_1_active": "false", "cert_1_last_rotated": "N/A", "cert_2_active": "false", "cert_2_last_rotated": "N/A" } }, "group": { "name": "iam" }, "labels": [ "CCC_INFRA_DONT_DELETE:True", "Preexisting:20251012" ], "name": "terraform-user-access-key-1", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:user/terraform-user" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** and limit static credentials:\n- Rotate active access keys at or before `90 days`\n- Prefer **IAM roles** with short-lived tokens\n- Maintain only one active key during rotation; delete the old one\n- Monitor `last_used` and remove dormant keys\n- Automate alerts and periodic reviews of key age", "references": [ "https://hub.prowler.com/check/iam_rotate_access_key_90_days" ] }, "risk_details": "Long-lived access keys widen the attack window. If a key is leaked in code, logs, or tooling, lack of rotation keeps it valid for abuse, enabling unauthorized API calls, data exfiltration, and tampering. This degrades **confidentiality** and **integrity** and can impact **availability** and cost through destructive or excessive operations.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "SecurityAudit policy is not attached to any role.", "metadata": { "event_code": "iam_securityaudit_role_created", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "SecurityAudit policy is not attached to any role.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SecurityAudit.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor", "https://docs.aws.amazon.com/IAM/latest/UserGuide/iam_example_iam_AttachRolePolicy_section.html" ], "notes": "", "compliance": { "NIS2": [ "1.2.4", "2.1.1", "2.1.2.a", "2.1.2.e", "2.1.2.f", "2.2.1", "2.3.1", "3.1.2.c", "3.1.3", "6.2.2.a", "7.2.d", "7.2.e", "7.2.f" ], "CSA-CCM-4.0": [ "IAM-04" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "OIS-02.01B", "OIS-02.02B", "OIS-04.01B", "HR-04.01B", "IAM-01.01B", "IAM-01.04B", "IAM-05.02B", "IAM-06.06B", "DEV-15.01B", "SIM-01.02B", "SIM-01.03B", "COM-02.02B", "COM-03.02B", "INQ-02.01B", "PSS-09.01AC" ], "ISO27001-2022": [ "A.5.3" ], "ENS-RD2022": [ "op.acc.3.r2.aws.iam.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM roles** with the AWS managed `SecurityAudit` policy (`arn:aws:iam::aws:policy/SecurityAudit`) are identified. The focus is on whether a role exists that grants read-only visibility into security-relevant configuration across AWS services.", "title": "At least one IAM role has the SecurityAudit AWS managed policy attached", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_securityaudit_role_created-211203495394-us-east-1-SecurityAudit" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "iam" }, "labels": [], "name": "SecurityAudit", "type": "AwsIamPolicy", "uid": "arn:aws:iam::aws:policy/SecurityAudit" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Establish a dedicated **audit role** and attach the AWS managed `SecurityAudit` policy. Enforce **least privilege** and **separation of duties**: restrict who can assume it, require **MFA**, monitor usage, and avoid write permissions. Prefer **federated access** and regularly review and rotate access.", "references": [ "https://hub.prowler.com/check/iam_securityaudit_role_created" ] }, "risk_details": "Without a dedicated **read-only audit role**, security teams lack safe visibility into configs and logs, enabling **undetected misconfigurations**, slower incident triage, and reliance on over-privileged access. This erodes **confidentiality** and **integrity** by letting exposure persist unnoticed.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Support Access policy is not attached to any role.", "metadata": { "event_code": "iam_support_role_created", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "AWS Support Access policy is not attached to any role.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/support-role.html", "https://icompaas.freshdesk.com/support/solutions/articles/62000081064-ensure-a-support-role-has-been-created-to-manage-incidents-with-aws-support", "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSupportAccess.html" ], "notes": "CAF Security Epic: IAM", "compliance": { "NIS2": [ "2.1.1", "2.1.2.a", "2.2.1", "3.1.2.d", "4.3.2.a", "5.1.7.b" ], "CIS-6.0": [ "2.16" ], "CIS-2.0": [ "1.17" ], "CSA-CCM-4.0": [ "IAM-04" ], "GDPR": [ "article_25" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2", "2.11.1" ], "ProwlerThreatScore-1.0": [ "1.2.3" ], "CIS-4.0.1": [ "1.17" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC10-BP01" ], "CIS-3.0": [ "1.17" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2", "2.11.1" ], "C5-2025": [ "OIS-02.01B", "OIS-02.02B", "HR-04.01B", "OPS-13.02B", "OPS-13.03AC", "OPS-17.02B", "OPS-24.01B", "OPS-24.02B", "IAM-01.01B", "IAM-01.04B", "IAM-06.06B", "DEV-15.01B", "SSO-05.06B", "SIM-01.02B", "SIM-01.03B" ], "CIS-1.4": [ "1.17" ], "CIS-5.0": [ "1.16" ], "CIS-1.5": [ "1.17" ], "AWS-Account-Security-Onboarding": [ "Predefine IAM Roles" ], "ENS-RD2022": [ "op.acc.3.r1.aws.iam.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Presence of an **IAM role** that has the AWS managed `AWSSupportAccess` policy attached, designating a support role for interacting with **AWS Support Center** and related tooling.", "title": "At least one IAM role has the AWSSupportAccess managed policy attached", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_support_role_created-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "iam" }, "labels": [], "name": "211203495394", "type": "AwsIamRole", "uid": "arn:aws:iam::aws:policy/AWSSupportAccess" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Create a dedicated IAM role for AWS Support with `AWSSupportAccess` and:\n- Restrict who can assume it; require MFA and time-bound access\n- Enforce **least privilege** and **separation of duties**\n- Monitor usage via audit logs and review assignments regularly", "references": [ "https://hub.prowler.com/check/iam_support_role_created" ] }, "risk_details": "Without a dedicated support role:\n- Case creation and escalation can be delayed, prolonging outages (**availability**)\n- Teams may use admin/root, increasing blast radius (**confidentiality/integrity**)\n- Audit trails of support actions are weaker, hindering investigations", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "User does not have access keys.", "metadata": { "event_code": "iam_user_accesskey_unused", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "User does not have access keys.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "secrets" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement-staging/knowledge-base/aws/IAM/access-keys-rotated-45-days.html" ], "notes": "", "compliance": { "NIS2": [ "11.5.4" ], "HIPAA": [ "164_308_a_3_ii_b", "164_308_a_4_ii_c", "164_308_a_5_ii_d" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-3" ], "CIS-6.0": [ "2.11" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam", "ksi-iam-07" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_3_a", "ac_2_3_b", "ac_2_3_c", "ac_2_3_d", "ac_2_3", "ac_2_6", "ac_2_g", "ac_2_j", "ac_3", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_7", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_6", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "mp_2", "sc_23_3" ], "AWS-Foundational-Technical-Review": [ "IAM-002", "IAM-0012" ], "CCC-v2025.10": [ "CCC.IAM.CN07.AR01", "CCC.IAM.CN08.AR01" ], "PCI-3.2.1": [ "8.1", "8.1.4" ], "CIS-2.0": [ "1.12" ], "CSA-CCM-4.0": [ "IAM-03", "IAM-07", "IAM-08" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3" ], "PCI-4.0": [ "7.2.4.2", "7.2.5.1.2", "8.2.6.2", "A3.4.1.10" ], "FFIEC": [ "d3-pc-am-b-6" ], "KISA-ISMS-P-2023-korean": [ "2.7.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.1.10" ], "CIS-4.0.1": [ "1.12" ], "CIS-3.0": [ "1.12" ], "KISA-ISMS-P-2023": [ "2.7.2", "2.10.2" ], "SOC2": [ "cc_1_3" ], "C5-2025": [ "IAM-03.02B", "IAM-03.03B", "IAM-03.01AS", "IAM-05.04B", "IAM-10.01B", "CRY-03.01B" ], "ISO27001-2022": [ "A.5.15" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.8", "IAM.22", "IAM.26" ], "SecNumCloud-3.2": [ "9.2", "9.4" ], "CIS-1.4": [ "1.12" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_3", "ac_2", "ac_3", "ac_6" ], "NIST-CSF-1.1": [ "ac_1", "ac_4" ], "CIS-5.0": [ "1.11" ], "CIS-1.5": [ "1.12" ], "NIST-CSF-2.0": [ "ac_1" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-2-3", "ac-3", "ac-5-c", "ac-6" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g", "11.300-b" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_1_4", "3_1_5", "3_5_6", "3_5_7", "3_5_8" ], "ENS-RD2022": [ "op.acc.6.aws.iam.2", "op.acc.6.aws.iam.3", "op.acc.6.r7.aws.iam.1" ], "MITRE-ATTACK": [ "T1078", "T1550", "T1110" ], "ISO27001-2013": [ "A.9.2.M", "A.9.3.J", "A.9.4.M" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM users** are evaluated for **active access keys** whose `last-used` timestamp exceeds `max_unused_access_keys_days` (default `45`). Users without access keys, or whose keys were used within this window, are reported separately.", "title": "IAM user does not have unused access keys older than 45 days", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_user_accesskey_unused-211203495394-us-east-1-" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "user": "", "arn": "arn:aws:iam::211203495394:root", "user_creation_time": "2025-10-03T16:10:08Z", "password_enabled": "true", "password_last_used": "2026-04-09T09:51:05Z", "password_last_changed": "2025-10-03T16:10:08Z", "password_next_rotation": "not_supported", "mfa_active": "true", "access_key_1_active": "false", "access_key_1_last_rotated": "N/A", "access_key_1_last_used_date": "N/A", "access_key_1_last_used_region": "N/A", "access_key_1_last_used_service": "N/A", "access_key_2_active": "false", "access_key_2_last_rotated": "N/A", "access_key_2_last_used_date": "N/A", "access_key_2_last_used_region": "N/A", "access_key_2_last_used_service": "N/A", "cert_1_active": "false", "cert_1_last_rotated": "N/A", "cert_2_active": "false", "cert_2_last_rotated": "N/A" } }, "group": { "name": "iam" }, "labels": [], "name": "", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:root" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Disable or delete **unused access keys** promptly and prefer **IAM roles** with temporary credentials. Enforce **least privilege**, rotation, and time-bounded access. Monitor `last-used` metadata and automate deactivation of idle keys. Use federation/SSO to avoid long-lived user keys.", "references": [ "https://hub.prowler.com/check/iam_user_accesskey_unused" ] }, "risk_details": "Active yet unused keys expand the attack surface. If leaked, adversaries gain API access for data exfiltration, unauthorized changes, and resource abuse, harming **confidentiality**, **integrity**, and **availability**. Stale credentials also enable persistence and unexpected cost spikes.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "User terraform-user does not have unused access keys for 45 days.", "metadata": { "event_code": "iam_user_accesskey_unused", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "User terraform-user does not have unused access keys for 45 days.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "secrets" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement-staging/knowledge-base/aws/IAM/access-keys-rotated-45-days.html" ], "notes": "", "compliance": { "NIS2": [ "11.5.4" ], "HIPAA": [ "164_308_a_3_ii_b", "164_308_a_4_ii_c", "164_308_a_5_ii_d" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-3" ], "CIS-6.0": [ "2.11" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam", "ksi-iam-07" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_3_a", "ac_2_3_b", "ac_2_3_c", "ac_2_3_d", "ac_2_3", "ac_2_6", "ac_2_g", "ac_2_j", "ac_3", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_7", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_6", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "mp_2", "sc_23_3" ], "AWS-Foundational-Technical-Review": [ "IAM-002", "IAM-0012" ], "CCC-v2025.10": [ "CCC.IAM.CN07.AR01", "CCC.IAM.CN08.AR01" ], "PCI-3.2.1": [ "8.1", "8.1.4" ], "CIS-2.0": [ "1.12" ], "CSA-CCM-4.0": [ "IAM-03", "IAM-07", "IAM-08" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3" ], "PCI-4.0": [ "7.2.4.2", "7.2.5.1.2", "8.2.6.2", "A3.4.1.10" ], "FFIEC": [ "d3-pc-am-b-6" ], "KISA-ISMS-P-2023-korean": [ "2.7.2", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.1.10" ], "CIS-4.0.1": [ "1.12" ], "CIS-3.0": [ "1.12" ], "KISA-ISMS-P-2023": [ "2.7.2", "2.10.2" ], "SOC2": [ "cc_1_3" ], "C5-2025": [ "IAM-03.02B", "IAM-03.03B", "IAM-03.01AS", "IAM-05.04B", "IAM-10.01B", "CRY-03.01B" ], "ISO27001-2022": [ "A.5.15" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.8", "IAM.22", "IAM.26" ], "SecNumCloud-3.2": [ "9.2", "9.4" ], "CIS-1.4": [ "1.12" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_3", "ac_2", "ac_3", "ac_6" ], "NIST-CSF-1.1": [ "ac_1", "ac_4" ], "CIS-5.0": [ "1.11" ], "CIS-1.5": [ "1.12" ], "NIST-CSF-2.0": [ "ac_1" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-2-3", "ac-3", "ac-5-c", "ac-6" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g", "11.300-b" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_1_4", "3_1_5", "3_5_6", "3_5_7", "3_5_8" ], "ENS-RD2022": [ "op.acc.6.aws.iam.2", "op.acc.6.aws.iam.3", "op.acc.6.r7.aws.iam.1" ], "MITRE-ATTACK": [ "T1078", "T1550", "T1110" ], "ISO27001-2013": [ "A.9.2.M", "A.9.3.J", "A.9.4.M" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM users** are evaluated for **active access keys** whose `last-used` timestamp exceeds `max_unused_access_keys_days` (default `45`). Users without access keys, or whose keys were used within this window, are reported separately.", "title": "IAM user does not have unused access keys older than 45 days", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_user_accesskey_unused-211203495394-us-east-1-terraform-user" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "user": "terraform-user", "arn": "arn:aws:iam::211203495394:user/terraform-user", "user_creation_time": "2025-10-06T15:56:43Z", "password_enabled": "false", "password_last_used": "N/A", "password_last_changed": "N/A", "password_next_rotation": "N/A", "mfa_active": "false", "access_key_1_active": "true", "access_key_1_last_rotated": "2025-10-06T15:57:15Z", "access_key_1_last_used_date": "2026-04-09T10:22:00Z", "access_key_1_last_used_region": "us-east-1", "access_key_1_last_used_service": "cloudtrail", "access_key_2_active": "false", "access_key_2_last_rotated": "N/A", "access_key_2_last_used_date": "N/A", "access_key_2_last_used_region": "N/A", "access_key_2_last_used_service": "N/A", "cert_1_active": "false", "cert_1_last_rotated": "N/A", "cert_2_active": "false", "cert_2_last_rotated": "N/A" } }, "group": { "name": "iam" }, "labels": [ "CCC_INFRA_DONT_DELETE:True", "Preexisting:20251012" ], "name": "terraform-user", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:user/terraform-user" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Disable or delete **unused access keys** promptly and prefer **IAM roles** with temporary credentials. Enforce **least privilege**, rotation, and time-bounded access. Monitor `last-used` metadata and automate deactivation of idle keys. Use federation/SSO to avoid long-lived user keys.", "references": [ "https://hub.prowler.com/check/iam_user_accesskey_unused" ] }, "risk_details": "Active yet unused keys expand the attack surface. If leaked, adversaries gain API access for data exfiltration, unauthorized changes, and resource abuse, harming **confidentiality**, **integrity**, and **availability**. Stale credentials also enable persistence and unexpected cost spikes.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "IAM User terraform-user has AdministratorAccess policy attached.", "metadata": { "event_code": "iam_user_administrator_access_policy", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 5, "severity": "Critical", "status": "New", "status_code": "FAIL", "status_detail": "IAM User terraform-user has AdministratorAccess policy attached.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/admin-permissions.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" ], "notes": "", "compliance": { "CCC-v2025.10": [ "CCC.Core.CN05.AR01", "CCC.Core.CN05.AR02" ], "CSA-CCM-4.0": [ "IAM-05" ], "PCI-4.0": [ "7.2.1.19", "7.2.2.19", "7.2.5.13", "7.3.1.13", "7.3.2.13", "7.3.3.13", "8.2.7.13", "8.2.8.15", "8.3.4.13" ], "KISA-ISMS-P-2023-korean": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.1", "2.5.5", "2.5.6", "2.10.2" ], "C5-2025": [ "OIS-04.03B", "SP-01.04B", "HR-01.01B", "IAM-01.01B", "IAM-01.04B", "IAM-10.01B" ], "SecNumCloud-3.2": [ "9.3" ], "NIST-CSF-2.0": [ "rr_1", "rr_2", "po_1", "am_6", "ac_4" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM users** are evaluated for a direct attachment of the AWS managed policy `AdministratorAccess`. The finding identifies identities where this policy appears among the user's attached policies.", "title": "IAM user does not have AdministratorAccess policy attached", "types": [ "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Privilege Escalation" ], "uid": "prowler-aws-iam_user_administrator_access_policy-211203495394-us-east-1-terraform-user" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "terraform-user", "arn": "arn:aws:iam::211203495394:user/terraform-user", "mfa_devices": [], "password_last_used": null, "console_access": false, "attached_policies": [ { "PolicyName": "AdministratorAccess", "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess" } ], "inline_policies": [], "tags": [ { "Key": "CCC_INFRA_DONT_DELETE", "Value": "True" }, { "Key": "Preexisting", "Value": "20251012" } ] } }, "group": { "name": "iam" }, "labels": [ "CCC_INFRA_DONT_DELETE:True", "Preexisting:20251012" ], "name": "terraform-user", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:user/terraform-user" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Remove direct `AdministratorAccess` from users.\n- Apply **least privilege** with scoped policies\n- Use **federation** and **roles** for temporary admin access\n- Enforce **separation of duties** and approvals\n- Add guardrails (SCPs, permissions boundaries)\n- Require **MFA** and rotate any remaining long-lived credentials", "references": [ "https://hub.prowler.com/check/iam_user_administrator_access_policy" ] }, "risk_details": "Assigning an IAM user full admin rights concentrates power in long-lived credentials. If compromised, attackers gain:\n- **Confidentiality**: read/export all data\n- **Integrity**: change configs, policies, code\n- **Availability**: delete resources, disrupt services\nAlso enables persistence and uncontrolled spend.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "User terraform-user does not have console access enabled or is unused.", "metadata": { "event_code": "iam_user_console_access_unused", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "User terraform-user does not have console access enabled or is unused.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html" ], "notes": "", "compliance": { "NIS2": [ "11.3.2.d", "11.5.4" ], "HIPAA": [ "164_308_a_3_ii_b", "164_308_a_4_ii_c", "164_308_a_5_ii_d" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-3" ], "CIS-6.0": [ "2.11" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam", "ksi-iam-07" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_2_3_a", "ac_2_3_b", "ac_2_3_c", "ac_2_3_d", "ac_2_3", "ac_2_6", "ac_2_g", "ac_2_j", "ac_3", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_7", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_6", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "mp_2", "sc_23_3" ], "CCC-v2025.10": [ "CCC.IAM.CN07.AR01", "CCC.IAM.CN08.AR01" ], "PCI-3.2.1": [ "8.1", "8.1.4" ], "CIS-2.0": [ "1.12" ], "CSA-CCM-4.0": [ "IAM-03", "IAM-07", "IAM-08" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3" ], "FFIEC": [ "d3-pc-am-b-6" ], "KISA-ISMS-P-2023-korean": [ "2.5.3", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.1.10" ], "CIS-4.0.1": [ "1.12" ], "CIS-3.0": [ "1.12" ], "KISA-ISMS-P-2023": [ "2.5.3", "2.10.2" ], "SOC2": [ "cc_1_3" ], "C5-2025": [ "OPS-05.02AC", "IAM-03.02B", "IAM-03.03B", "IAM-03.01AS", "IAM-05.04B", "IAM-10.01B" ], "ISO27001-2022": [ "A.5.15" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.8", "IAM.22", "IAM.26" ], "SecNumCloud-3.2": [ "9.2", "9.4" ], "CIS-1.4": [ "1.12" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_3", "ac_2", "ac_3", "ac_6" ], "NIST-CSF-1.1": [ "ac_1", "ac_4" ], "CIS-5.0": [ "1.11" ], "CIS-1.5": [ "1.12" ], "NIST-CSF-2.0": [ "ac_1" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ac-2-3", "ac-3", "ac-5-c", "ac-6" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g", "11.300-b" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_1_4", "3_1_5", "3_5_6", "3_5_7", "3_5_8" ], "ENS-RD2022": [ "op.acc.6.aws.iam.2", "op.acc.6.aws.iam.3", "op.acc.6.r7.aws.iam.1" ], "MITRE-ATTACK": [ "T1078", "T1550", "T1110" ], "ISO27001-2013": [ "A.9.2.M", "A.9.3.J", "A.9.4.M" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM users** with console access are evaluated by `password_last_used`. Inactivity beyond `max_console_access_days` (default `45`) marks **stale console access**.\n\n*Users without console access are excluded*.", "title": "IAM user console access is disabled, used within the configured inactivity period, or never used", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access" ], "uid": "prowler-aws-iam_user_console_access_unused-211203495394-us-east-1-terraform-user" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "terraform-user", "arn": "arn:aws:iam::211203495394:user/terraform-user", "mfa_devices": [], "password_last_used": null, "console_access": false, "attached_policies": [ { "PolicyName": "AdministratorAccess", "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess" } ], "inline_policies": [], "tags": [ { "Key": "CCC_INFRA_DONT_DELETE", "Value": "True" }, { "Key": "Preexisting", "Value": "20251012" } ] } }, "group": { "name": "iam" }, "labels": [ "CCC_INFRA_DONT_DELETE:True", "Preexisting:20251012" ], "name": "terraform-user", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:user/terraform-user" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Remove or disable console passwords for users inactive beyond your window (e.g., `45` days). Prefer roles or federation over long-lived IAM users. Enforce **least privilege**, require **MFA** for remaining console users, and run periodic reviews and deprovisioning to prevent unused credentials.", "references": [ "https://hub.prowler.com/check/iam_user_console_access_unused" ] }, "risk_details": "**Dormant console credentials** stay valid and invite **password spraying**, **credential stuffing**, and breach reuse. Compromise yields interactive access for data discovery/exfiltration and unauthorized IAM or resource changes, degrading **confidentiality** and **integrity**, and risking **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "User terraform-user does not have any type of MFA enabled.", "metadata": { "event_code": "iam_user_hardware_mfa_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "User terraform-user does not have any type of MFA enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html", "https://support.icompaas.com/support/solutions/articles/62000236278-ensure-iam-users-have-hardware-mfa-enabled" ], "notes": "", "compliance": { "NIS2": [ "11.7.2" ], "FedRAMP-Low-Revision-4": [ "ac-2" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "AWS-Foundational-Technical-Review": [ "IAM-001", "IAM-0012" ], "CCC-v2025.10": [ "CCC.Core.CN03.AR01", "CCC.Core.CN03.AR03", "CCC.Core.CN05.AR06" ], "CSA-CCM-4.0": [ "IAM-14" ], "CISA": [ "booting-up-thing-to-do-first-2" ], "KISA-ISMS-P-2023-korean": [ "2.5.3", "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP01" ], "KISA-ISMS-P-2023": [ "2.5.3", "2.10.2" ], "C5-2025": [ "OPS-16.01B", "IAM-08.05B", "IAM-09.02B", "IAM-09.01AC", "PSS-05.01B", "PSS-07.02B" ], "ISO27001-2022": [ "A.8.5" ], "SecNumCloud-3.2": [ "9.6" ], "MITRE-ATTACK": [ "T1078", "T1098", "T1556", "T1550", "T1110", "T1040" ], "AWS-Audit-Manager-Control-Tower-Guardrails": [ "3.0.1", "3.0.2" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM users** are evaluated for **hardware MFA** enrollment, identifying physical tokens or security keys and distinguishing them from *virtual* or *SMS* MFA, as well as users without any MFA.", "title": "IAM user has hardware MFA enabled", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access", "TTPs/Credential Access" ], "uid": "prowler-aws-iam_user_hardware_mfa_enabled-211203495394-us-east-1-terraform-user" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "terraform-user", "arn": "arn:aws:iam::211203495394:user/terraform-user", "mfa_devices": [], "password_last_used": null, "console_access": false, "attached_policies": [ { "PolicyName": "AdministratorAccess", "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess" } ], "inline_policies": [], "tags": [ { "Key": "CCC_INFRA_DONT_DELETE", "Value": "True" }, { "Key": "Preexisting", "Value": "20251012" } ] } }, "group": { "name": "iam" }, "labels": [ "CCC_INFRA_DONT_DELETE:True", "Preexisting:20251012" ], "name": "terraform-user", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:user/terraform-user" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Require **hardware-backed MFA** for all IAM users. Prefer **FIDO2 security keys** for phishing resistance over TOTP or SMS. Disallow SMS/virtual MFA for privileged roles. Enforce MFA for all access paths, apply **least privilege**, and provision multiple MFA devices per user for continuity.", "references": [ "https://hub.prowler.com/check/iam_user_hardware_mfa_enabled" ] }, "risk_details": "Without **hardware MFA**, authentication is weaker:\n- **SIM-swap** can bypass SMS\n- **Phishing** can steal TOTP from virtual apps\n- No MFA allows password-only takeover\nThis enables unauthorized console/API access, causing data exfiltration (C), privilege abuse (I), and service disruption (A).", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "User terraform-user does not have Console Password enabled.", "metadata": { "event_code": "iam_user_mfa_enabled_console_access", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "PASS", "status_detail": "User terraform-user does not have Console Password enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/iam-user-multi-factor-authentication-enabled.html" ], "notes": "", "compliance": { "NIS2": [ "11.1.2.c", "11.3.2.a", "11.4.2.c", "11.6.1", "11.7.2" ], "HIPAA": [ "164_308_a_3_ii_a", "164_312_a_1", "164_312_d" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ia-2" ], "CIS-6.0": [ "2.9" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "NIST-800-53-Revision-5": [ "ac_2_1", "ac_3_2", "ac_3_3", "ac_3_3_a", "ac_3_3_b_1", "ac_3_3_b_2", "ac_3_3_b_3", "ac_3_3_b_4", "ac_3_3_b_5", "ac_3_3_c", "ac_3_4", "ac_3_4_a", "ac_3_4_b", "ac_3_4_c", "ac_3_4_d", "ac_3_4_e", "ac_3_8", "ac_3_12_a", "ac_3_13", "ac_3_15_a", "ac_3_15_b", "ac_4_28", "ac_7_4", "ac_7_4_a", "ac_24", "cm_5_1_a", "cm_6_a", "cm_9_b", "ia_2_1", "ia_2_2", "ia_2_6", "ia_2_6_a", "ia_2_8", "sc_23_3" ], "AWS-Foundational-Technical-Review": [ "IAM-001", "IAM-0012" ], "CCC-v2025.10": [ "CCC.Core.CN03.AR01", "CCC.Core.CN03.AR03", "CCC.Core.CN05.AR02", "CCC.Core.CN05.AR06" ], "PCI-3.2.1": [ "8.3", "8.3.1", "8.3.1.a", "8.3.2", "8.3.2.a", "8.6", "8.6.c" ], "CIS-2.0": [ "1.10" ], "CSA-CCM-4.0": [ "IAM-13", "IAM-14" ], "GDPR": [ "article_25" ], "CISA": [ "your-systems-3", "your-surroundings-2", "booting-up-thing-to-do-first-2" ], "PCI-4.0": [ "8.4.1.1", "8.4.1.2", "8.4.2.1", "8.4.2.2", "8.4.3.1", "8.4.3.2" ], "FFIEC": [ "d3-pc-am-b-15", "d3-pc-am-b-6" ], "KISA-ISMS-P-2023-korean": [ "2.5.3", "2.10.2" ], "ProwlerThreatScore-1.0": [ "1.1.3" ], "CIS-4.0.1": [ "1.10" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP01" ], "CIS-3.0": [ "1.10" ], "KISA-ISMS-P-2023": [ "2.5.3", "2.10.2" ], "C5-2025": [ "OPS-05.02AC", "OPS-16.01B", "IAM-04.06B", "IAM-06.09B", "IAM-08.02B", "IAM-08.05B", "IAM-09.02B", "IAM-09.01AC", "IAM-10.01B", "PSS-05.01B", "PSS-07.01B", "PSS-07.02B" ], "ISO27001-2022": [ "A.5.15", "A.5.17", "A.8.5" ], "AWS-Foundational-Security-Best-Practices": [ "IAM.5", "IAM.19" ], "SecNumCloud-3.2": [ "9.5" ], "CIS-1.4": [ "1.10" ], "NIST-800-53-Revision-4": [ "ia_2_1", "ia_2_2", "ia_2_11" ], "NIST-CSF-1.1": [ "ac_3", "ac_7" ], "CIS-5.0": [ "1.9" ], "CIS-1.5": [ "1.10" ], "NIST-CSF-2.0": [ "ac_7" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-f", "ac-2-j", "ia-2-1-2", "ia-2-1" ], "GxP-21-CFR-Part-11": [ "11.10-d", "11.10-g", "11.200" ], "NIST-800-171-Revision-2": [ "3_1_1", "3_1_2", "3_1_14", "3_5_2", "3_5_3" ], "ENS-RD2022": [ "op.acc.6.r2.aws.iam.1", "op.acc.6.r4.aws.iam.1", "op.acc.6.r8.aws.iam.1" ], "MITRE-ATTACK": [ "T1078", "T1098", "T1556", "T1550", "T1110", "T1040", "T1538" ], "ISO27001-2013": [ "A.9.2.J", "A.9.3.H", "A.9.4.J" ], "AWS-Audit-Manager-Control-Tower-Guardrails": [ "3.0.1", "3.0.2", "3.0.3" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM users** that have a console password are expected to have **multi-factor authentication** enabled. The evaluation identifies users who can sign in to the AWS Management Console but do not have an active MFA device associated.", "title": "IAM user has MFA enabled for console access or no console password is set", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", "TTPs/Initial Access", "TTPs/Credential Access" ], "uid": "prowler-aws-iam_user_mfa_enabled_console_access-211203495394-us-east-1-terraform-user" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "user": "terraform-user", "arn": "arn:aws:iam::211203495394:user/terraform-user", "user_creation_time": "2025-10-06T15:56:43Z", "password_enabled": "false", "password_last_used": "N/A", "password_last_changed": "N/A", "password_next_rotation": "N/A", "mfa_active": "false", "access_key_1_active": "true", "access_key_1_last_rotated": "2025-10-06T15:57:15Z", "access_key_1_last_used_date": "2026-04-09T10:22:00Z", "access_key_1_last_used_region": "us-east-1", "access_key_1_last_used_service": "cloudtrail", "access_key_2_active": "false", "access_key_2_last_rotated": "N/A", "access_key_2_last_used_date": "N/A", "access_key_2_last_used_region": "N/A", "access_key_2_last_used_service": "N/A", "cert_1_active": "false", "cert_1_last_rotated": "N/A", "cert_2_active": "false", "cert_2_last_rotated": "N/A" } }, "group": { "name": "iam" }, "labels": [ "CCC_INFRA_DONT_DELETE:True", "Preexisting:20251012" ], "name": "terraform-user", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:user/terraform-user" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enforce **MFA** for all console-capable IAM users; prefer **phishing-resistant** authenticators (FIDO2/security keys) and register backups. Remove console passwords for users that don't need them and favor **federation/SSO**. Apply least privilege and require MFA for sensitive actions to prevent unauthorized changes.", "references": [ "https://hub.prowler.com/check/iam_user_mfa_enabled_console_access" ] }, "risk_details": "Without **MFA**, a stolen or brute-forced password grants full interactive access. Attackers can: - Change policies or keys - Exfiltrate data - Create backdoor users - Disable logging. This enables account takeover, threatens confidentiality and integrity, and can disrupt availability.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "User does not have access keys or uses the access keys configured.", "metadata": { "event_code": "iam_user_no_setup_initial_access_key", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "User does not have access keys or uses the access keys configured.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "secrets" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html", "https://support.icompaas.com/support/solutions/articles/62000228293-ensure-there-is-only-one-active-access-key-available-for-any-single-iam-user" ], "notes": "CAF Security Epic: IAM", "compliance": { "NIS2": [ "9.2.c", "9.2.c.iii" ], "CIS-6.0": [ "2.10" ], "CCC-v2025.10": [ "CCC.Core.CN03.AR02", "CCC.Core.CN03.AR04", "CCC.IAM.CN01.AR01", "CCC.IAM.CN01.AR02" ], "CIS-2.0": [ "1.11" ], "CSA-CCM-4.0": [ "IAM-07" ], "KISA-ISMS-P-2023-korean": [ "2.7.2", "2.10.2" ], "CIS-4.0.1": [ "1.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP01" ], "CIS-3.0": [ "1.11" ], "KISA-ISMS-P-2023": [ "2.7.2", "2.10.2" ], "C5-2025": [ "OPS-05.02AC", "IAM-10.01B", "CRY-03.01B", "PSS-07.01B" ], "CIS-1.4": [ "1.11" ], "CIS-5.0": [ "1.1" ], "CIS-1.5": [ "1.11" ], "ENS-RD2022": [ "op.acc.6.aws.iam.4" ], "MITRE-ATTACK": [ "T1078", "T1550" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM users** with a console password and active **access keys** that have `last_used` as `N/A` are identified.\n\nThis highlights accounts where programmatic credentials exist but have never been exercised.", "title": "IAM user does not have active access keys that have never been used", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_user_no_setup_initial_access_key-211203495394-us-east-1-" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "user": "", "arn": "arn:aws:iam::211203495394:root", "user_creation_time": "2025-10-03T16:10:08Z", "password_enabled": "true", "password_last_used": "2026-04-09T09:51:05Z", "password_last_changed": "2025-10-03T16:10:08Z", "password_next_rotation": "not_supported", "mfa_active": "true", "access_key_1_active": "false", "access_key_1_last_rotated": "N/A", "access_key_1_last_used_date": "N/A", "access_key_1_last_used_region": "N/A", "access_key_1_last_used_service": "N/A", "access_key_2_active": "false", "access_key_2_last_rotated": "N/A", "access_key_2_last_used_date": "N/A", "access_key_2_last_used_region": "N/A", "access_key_2_last_used_service": "N/A", "cert_1_active": "false", "cert_1_last_rotated": "N/A", "cert_2_active": "false", "cert_2_last_rotated": "N/A" } }, "group": { "name": "iam" }, "labels": [], "name": "", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:root" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** to programmatic access:\n- Do not provision access keys by default for console users\n- Prefer **IAM roles** and temporary credentials\n- Require justification and time-bounded key creation\n- Regularly review usage and disable/delete unused keys\n- Limit to one active key per user and enforce rotation with monitoring", "references": [ "https://hub.prowler.com/check/iam_user_no_setup_initial_access_key" ] }, "risk_details": "Active yet unused **access keys** expand the attack surface. If exposed, attackers gain programmatic access for unauthorized API calls, causing data exfiltration (**confidentiality**), unauthorized changes (**integrity**), and service disruption (**availability**). Dormant keys also bloat credential inventory, delaying detection and rotation.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "User terraform-user does not have access keys or uses the access keys configured.", "metadata": { "event_code": "iam_user_no_setup_initial_access_key", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "User terraform-user does not have access keys or uses the access keys configured.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "secrets" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html", "https://support.icompaas.com/support/solutions/articles/62000228293-ensure-there-is-only-one-active-access-key-available-for-any-single-iam-user" ], "notes": "CAF Security Epic: IAM", "compliance": { "NIS2": [ "9.2.c", "9.2.c.iii" ], "CIS-6.0": [ "2.10" ], "CCC-v2025.10": [ "CCC.Core.CN03.AR02", "CCC.Core.CN03.AR04", "CCC.IAM.CN01.AR01", "CCC.IAM.CN01.AR02" ], "CIS-2.0": [ "1.11" ], "CSA-CCM-4.0": [ "IAM-07" ], "KISA-ISMS-P-2023-korean": [ "2.7.2", "2.10.2" ], "CIS-4.0.1": [ "1.11" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP01" ], "CIS-3.0": [ "1.11" ], "KISA-ISMS-P-2023": [ "2.7.2", "2.10.2" ], "C5-2025": [ "OPS-05.02AC", "IAM-10.01B", "CRY-03.01B", "PSS-07.01B" ], "CIS-1.4": [ "1.11" ], "CIS-5.0": [ "1.1" ], "CIS-1.5": [ "1.11" ], "ENS-RD2022": [ "op.acc.6.aws.iam.4" ], "MITRE-ATTACK": [ "T1078", "T1550" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM users** with a console password and active **access keys** that have `last_used` as `N/A` are identified.\n\nThis highlights accounts where programmatic credentials exist but have never been exercised.", "title": "IAM user does not have active access keys that have never been used", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_user_no_setup_initial_access_key-211203495394-us-east-1-terraform-user" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "user": "terraform-user", "arn": "arn:aws:iam::211203495394:user/terraform-user", "user_creation_time": "2025-10-06T15:56:43Z", "password_enabled": "false", "password_last_used": "N/A", "password_last_changed": "N/A", "password_next_rotation": "N/A", "mfa_active": "false", "access_key_1_active": "true", "access_key_1_last_rotated": "2025-10-06T15:57:15Z", "access_key_1_last_used_date": "2026-04-09T10:22:00Z", "access_key_1_last_used_region": "us-east-1", "access_key_1_last_used_service": "cloudtrail", "access_key_2_active": "false", "access_key_2_last_rotated": "N/A", "access_key_2_last_used_date": "N/A", "access_key_2_last_used_region": "N/A", "access_key_2_last_used_service": "N/A", "cert_1_active": "false", "cert_1_last_rotated": "N/A", "cert_2_active": "false", "cert_2_last_rotated": "N/A" } }, "group": { "name": "iam" }, "labels": [ "CCC_INFRA_DONT_DELETE:True", "Preexisting:20251012" ], "name": "terraform-user", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:user/terraform-user" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Apply **least privilege** to programmatic access:\n- Do not provision access keys by default for console users\n- Prefer **IAM roles** and temporary credentials\n- Require justification and time-bounded key creation\n- Regularly review usage and disable/delete unused keys\n- Limit to one active key per user and enforce rotation with monitoring", "references": [ "https://hub.prowler.com/check/iam_user_no_setup_initial_access_key" ] }, "risk_details": "Active yet unused **access keys** expand the attack surface. If exposed, attackers gain programmatic access for unauthorized API calls, causing data exfiltration (**confidentiality**), unauthorized changes (**integrity**), and service disruption (**availability**). Dormant keys also bloat credential inventory, delaying detection and rotation.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "User does not have 2 active access keys.", "metadata": { "event_code": "iam_user_two_active_access_key", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "User does not have 2 active access keys.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "secrets" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/unnecessary-access-keys.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/id-credentials-access-keys-update.html", "https://support.icompaas.com/support/solutions/articles/62000233813-ensure-iam-users-have-two-active-access-keys", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html" ], "notes": "", "compliance": { "NIS2": [ "9.2.c" ], "CIS-6.0": [ "2.12" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "CCC-v2025.10": [ "CCC.IAM.CN01.AR01", "CCC.IAM.CN01.AR02" ], "CIS-2.0": [ "1.13" ], "CSA-CCM-4.0": [ "IAM-03" ], "KISA-ISMS-P-2023-korean": [ "2.7.2", "2.10.2" ], "CIS-4.0.1": [ "1.13" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP01" ], "CIS-3.0": [ "1.13" ], "KISA-ISMS-P-2023": [ "2.7.2", "2.10.2" ], "C5-2025": [ "IAM-10.01B", "CRY-03.01B" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.13" ], "CIS-5.0": [ "1.12" ], "CIS-1.5": [ "1.13" ], "NIST-CSF-2.0": [ "ac_1", "ac_6" ], "ENS-RD2022": [ "op.acc.6.aws.iam.1" ], "MITRE-ATTACK": [ "T1078", "T1550" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM users** are evaluated for having **two `Active` access keys** simultaneously.\n\nThe check identifies users whose two access key slots are enabled at the same time.", "title": "IAM user has at most one active access key", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_user_two_active_access_key-211203495394-us-east-1-" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "user": "", "arn": "arn:aws:iam::211203495394:root", "user_creation_time": "2025-10-03T16:10:08Z", "password_enabled": "true", "password_last_used": "2026-04-09T09:51:05Z", "password_last_changed": "2025-10-03T16:10:08Z", "password_next_rotation": "not_supported", "mfa_active": "true", "access_key_1_active": "false", "access_key_1_last_rotated": "N/A", "access_key_1_last_used_date": "N/A", "access_key_1_last_used_region": "N/A", "access_key_1_last_used_service": "N/A", "access_key_2_active": "false", "access_key_2_last_rotated": "N/A", "access_key_2_last_used_date": "N/A", "access_key_2_last_used_region": "N/A", "access_key_2_last_used_service": "N/A", "cert_1_active": "false", "cert_1_last_rotated": "N/A", "cert_2_active": "false", "cert_2_last_rotated": "N/A" } }, "group": { "name": "iam" }, "labels": [], "name": "", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:root" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Maintain **one `Active` access key** per IAM user; permit only a brief overlap for rotation, then promptly deactivate and delete the old key. Prefer **temporary credentials** via roles/federation over long-lived keys. Apply **least privilege**, periodic rotation, and monitor for unused or aged keys.", "references": [ "https://hub.prowler.com/check/iam_user_two_active_access_key" ] }, "risk_details": "**Two active keys per user** widen exposure and weaken credential governance.\n- Any leaked key enables unauthorized API actions, risking data exfiltration and resource changes\n- Rotation and response become error-prone, allowing attacker persistence if one key remains unnoticed", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "User terraform-user does not have 2 active access keys.", "metadata": { "event_code": "iam_user_two_active_access_key", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "PASS", "status_detail": "User terraform-user does not have 2 active access keys.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "secrets" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/unnecessary-access-keys.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/id-credentials-access-keys-update.html", "https://support.icompaas.com/support/solutions/articles/62000233813-ensure-iam-users-have-two-active-access-keys", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html" ], "notes": "", "compliance": { "NIS2": [ "9.2.c" ], "CIS-6.0": [ "2.12" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "CCC-v2025.10": [ "CCC.IAM.CN01.AR01", "CCC.IAM.CN01.AR02" ], "CIS-2.0": [ "1.13" ], "CSA-CCM-4.0": [ "IAM-03" ], "KISA-ISMS-P-2023-korean": [ "2.7.2", "2.10.2" ], "CIS-4.0.1": [ "1.13" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC02-BP01" ], "CIS-3.0": [ "1.13" ], "KISA-ISMS-P-2023": [ "2.7.2", "2.10.2" ], "C5-2025": [ "IAM-10.01B", "CRY-03.01B" ], "SecNumCloud-3.2": [ "9.3" ], "CIS-1.4": [ "1.13" ], "CIS-5.0": [ "1.12" ], "CIS-1.5": [ "1.13" ], "NIST-CSF-2.0": [ "ac_1", "ac_6" ], "ENS-RD2022": [ "op.acc.6.aws.iam.1" ], "MITRE-ATTACK": [ "T1078", "T1550" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**IAM users** are evaluated for having **two `Active` access keys** simultaneously.\n\nThe check identifies users whose two access key slots are enabled at the same time.", "title": "IAM user has at most one active access key", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "uid": "prowler-aws-iam_user_two_active_access_key-211203495394-us-east-1-terraform-user" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "user": "terraform-user", "arn": "arn:aws:iam::211203495394:user/terraform-user", "user_creation_time": "2025-10-06T15:56:43Z", "password_enabled": "false", "password_last_used": "N/A", "password_last_changed": "N/A", "password_next_rotation": "N/A", "mfa_active": "false", "access_key_1_active": "true", "access_key_1_last_rotated": "2025-10-06T15:57:15Z", "access_key_1_last_used_date": "2026-04-09T10:22:00Z", "access_key_1_last_used_region": "us-east-1", "access_key_1_last_used_service": "cloudtrail", "access_key_2_active": "false", "access_key_2_last_rotated": "N/A", "access_key_2_last_used_date": "N/A", "access_key_2_last_used_region": "N/A", "access_key_2_last_used_service": "N/A", "cert_1_active": "false", "cert_1_last_rotated": "N/A", "cert_2_active": "false", "cert_2_last_rotated": "N/A" } }, "group": { "name": "iam" }, "labels": [ "CCC_INFRA_DONT_DELETE:True", "Preexisting:20251012" ], "name": "terraform-user", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:user/terraform-user" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Maintain **one `Active` access key** per IAM user; permit only a brief overlap for rotation, then promptly deactivate and delete the old key. Prefer **temporary credentials** via roles/federation over long-lived keys. Apply **least privilege**, periodic rotation, and monitor for unused or aged keys.", "references": [ "https://hub.prowler.com/check/iam_user_two_active_access_key" ] }, "risk_details": "**Two active keys per user** widen exposure and weaken credential governance.\n- Any leaked key enables unauthorized API actions, risking data exfiltration and resource changes\n- Rotation and response become error-prone, allowing attacker persistence if one key remains unnoticed", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "User terraform-user has long lived credentials with access to other services than IAM or STS.", "metadata": { "event_code": "iam_user_with_temporary_credentials", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "User terraform-user has long lived credentials with access to other services than IAM or STS.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access", "secrets" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html" ], "notes": "", "compliance": { "AWS-Foundational-Technical-Review": [ "IAM-002", "IAM-0012" ], "KISA-ISMS-P-2023-korean": [ "2.5.3", "2.10.2" ], "KISA-ISMS-P-2023": [ "2.5.3", "2.10.2" ], "C5-2025": [ "IAM-01.01B", "IAM-01.04B", "IAM-03.01B", "IAM-03.03B", "IAM-03.01AS", "IAM-06.01B", "IAM-08.02B" ], "NIST-CSF-2.0": [ "ac_6" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "IAM users are assessed for activity using **long-lived access keys**. Use of static credentials to access services other than IAM or STS indicates reliance on permanent keys instead of **temporary role-based credentials**.", "title": "IAM user does not use long-lived credentials to access services other than IAM or STS", "types": [ "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", "TTPs/Credential Access" ], "uid": "prowler-aws-iam_user_with_temporary_credentials-211203495394-us-east-1-terraform-user" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "name": "terraform-user", "arn": "arn:aws:iam::211203495394:user/terraform-user" } }, "group": { "name": "iam" }, "labels": [ "CCC_INFRA_DONT_DELETE:True", "Preexisting:20251012" ], "name": "terraform-user", "type": "AwsIamUser", "uid": "arn:aws:iam::211203495394:user/terraform-user" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Adopt **temporary credentials** via IAM roles and federation for humans and workloads. Remove or restrict long-term keys; *if unavoidable*, apply **least privilege**, require **MFA**, rotate aggressively, and monitor usage. Prefer short session durations and session conditions to limit blast radius.", "references": [ "https://hub.prowler.com/check/iam_user_with_temporary_credentials" ] }, "risk_details": "Persistent access keys enable attacker **persistence** and replay. Stolen keys allow off-network API calls for data exfiltration, privilege changes, and destructive actions, impacting **confidentiality**, **integrity**, and **availability**. Without expiry, the blast radius grows and containment is harder.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-ap-northeast-1-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-1", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:ap-northeast-1:211203495394:inspector2", "region": "ap-northeast-1", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:ap-northeast-1:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-1" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-ap-northeast-2-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-2", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:ap-northeast-2:211203495394:inspector2", "region": "ap-northeast-2", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:ap-northeast-2:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-2" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-ap-northeast-3-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-3", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:ap-northeast-3:211203495394:inspector2", "region": "ap-northeast-3", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:ap-northeast-3:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-3" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-ap-south-1-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "ap-south-1", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:ap-south-1:211203495394:inspector2", "region": "ap-south-1", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:ap-south-1:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-south-1" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-ap-southeast-1-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-1", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:ap-southeast-1:211203495394:inspector2", "region": "ap-southeast-1", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:ap-southeast-1:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-1" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-ap-southeast-2-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-2", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:ap-southeast-2:211203495394:inspector2", "region": "ap-southeast-2", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:ap-southeast-2:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-2" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-ca-central-1-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "ca-central-1", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:ca-central-1:211203495394:inspector2", "region": "ca-central-1", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:ca-central-1:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ca-central-1" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-eu-central-1-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "eu-central-1", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:eu-central-1:211203495394:inspector2", "region": "eu-central-1", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:eu-central-1:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-central-1" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-eu-north-1-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "eu-north-1", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:eu-north-1:211203495394:inspector2", "region": "eu-north-1", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:eu-north-1:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-north-1" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-eu-west-1-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-1", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:eu-west-1:211203495394:inspector2", "region": "eu-west-1", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:eu-west-1:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-1" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-eu-west-2-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-2", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:eu-west-2:211203495394:inspector2", "region": "eu-west-2", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:eu-west-2:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-2" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-eu-west-3-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-3", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:eu-west-3:211203495394:inspector2", "region": "eu-west-3", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:eu-west-3:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-3" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-sa-east-1-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "sa-east-1", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:sa-east-1:211203495394:inspector2", "region": "sa-east-1", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:sa-east-1:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "sa-east-1" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-us-east-1-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:us-east-1:211203495394:inspector2", "region": "us-east-1", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:us-east-1:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-us-east-2-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-2", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:us-east-2:211203495394:inspector2", "region": "us-east-2", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:us-east-2:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-2" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-us-west-1-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-1", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:us-west-1:211203495394:inspector2", "region": "us-west-1", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:us-west-1:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-1" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Inspector2 is not enabled in this account.", "metadata": { "event_code": "inspector2_is_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "Inspector2 is not enabled in this account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html", "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr", "ksi-mla", "ksi-tpr", "ksi-mla-07" ], "AWS-Foundational-Technical-Review": [ "SECOPS-001" ], "CSA-CCM-4.0": [ "AIS-05", "AIS-07", "TVM-04", "TVM-05", "TVM-07" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.2" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.2" ], "C5-2025": [ "OPS-32.01B", "PSS-11.01B" ], "SecNumCloud-3.2": [ "12.11", "14.6", "18.4" ], "AWS-Account-Security-Onboarding": [ "Enable and configure AWS Inspector", "Scan images for vulnerability on upload to ECR" ], "NIST-CSF-2.0": [ "ip_7", "ip_12", "cm_1" ], "ENS-RD2022": [ "op.exp.4.r4.aws.insp.1", "op.mon.3.r2.aws.insp.1", "op.mon.3.r6.aws.insp.1" ], "MITRE-ATTACK": [ "T1190", "T1562", "T1110", "T1046" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Amazon Inspector 2** activation and coverage across regions, verifying that scanning is active for **EC2**, **ECR**, **Lambda functions**, and **Lambda code** where applicable.\n\nIt flags missing account activation or gaps in any scan type.", "title": "Inspector2 is enabled for Amazon EC2 instances, ECR container images, Lambda functions, and Lambda code", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-inspector2_is_enabled-211203495394-us-west-2-Inspector2" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-2", "data": { "details": "", "metadata": { "id": "Inspector2", "arn": "arn:aws:inspector2:us-west-2:211203495394:inspector2", "region": "us-west-2", "status": "DISABLED", "ec2_status": "DISABLED", "ecr_status": "DISABLED", "lambda_status": "DISABLED", "lambda_code_status": "DISABLED", "active_findings": false } }, "group": { "name": "inspector2" }, "labels": [], "name": "Inspector2", "type": "Other", "uid": "arn:aws:inspector2:us-west-2:211203495394:inspector2" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-2" }, "remediation": { "desc": "Enable **Amazon Inspector 2** across all regions and activate scans for **EC2**, **ECR**, **Lambda**, and **Lambda code**.\n\nApply **defense in depth**: auto-enable coverage for new workloads, integrate findings with patching and CI/CD gates, enforce remediation SLAs, and grant only **least privilege** to process and act on findings.", "references": [ "https://hub.prowler.com/check/inspector2_is_enabled" ] }, "risk_details": "Absent or partial coverage leaves **unpatched vulnerabilities**, risky **code dependencies**, and **unintended network exposure** undetected.\n\nAttackers can exploit known CVEs for **remote code execution**, **lateral movement**, and **data exfiltration**, degrading **confidentiality**, **integrity**, and **availability**.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Organizations is not in-use for this AWS Account.", "metadata": { "event_code": "organizations_account_part_of_organizations", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Organizations is not in-use for this AWS Account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html", "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_view_org.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-piy" ], "RBI-Cyber-Security-Framework": [ "annex_i_1_1" ], "PCI-4.0": [ "7.2.1.1", "7.2.2.1", "7.2.5.1", "7.3.1.1", "7.3.2.1", "7.3.3.1", "8.2.7.1", "8.2.8.1", "8.3.4.1" ], "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC01-BP01", "SEC03-BP05", "SEC08-BP04" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "ISO27001-2022": [ "A.8.3" ], "SecNumCloud-3.2": [ "9.6", "12.3", "14.4" ], "NIST-CSF-2.0": [ "rm_1", "rr_1", "rr_2", "po_3", "po_4", "am_6" ], "ENS-RD2022": [ "op.acc.4.aws.iam.1", "op.acc.4.aws.iam.8" ], "MITRE-ATTACK": [ "T1078", "T1087", "T1580", "T1538" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS account** membership in **AWS Organizations** with organization status `ACTIVE`.\n\nAssesses if the account is associated with an organization and that the organization state is `ACTIVE`.", "title": "AWS account is a member of an active AWS Organization", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-organizations_account_part_of_organizations-211203495394-us-east-1-unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:organizations::211203495394:unknown", "id": "unknown", "status": "NOT_AVAILABLE", "master_id": "", "policies": {}, "delegated_administrators": null } }, "group": { "name": "organizations" }, "labels": [], "name": "unknown", "type": "Other", "uid": "arn:aws:organizations::211203495394:unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Operate all accounts under **AWS Organizations** (preferably with *all features*). Structure OUs, enforce **SCPs** for least privilege, and apply separation of duties between management and member accounts. Centralize logging and billing to support defense-in-depth, and routinely review org membership and policies.", "references": [ "https://hub.prowler.com/check/organizations_account_part_of_organizations" ] }, "risk_details": "Absence of **AWS Organizations** weakens governance across accounts. Without **SCP guardrails** and centralized policy, excessive permissions, unsafe network settings, or risky services may be enabled, threatening **confidentiality** and **integrity**. Fragmented logging and response slow containment, impacting **availability** and increasing cost exposure.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Organizations is not in-use for this AWS Account.", "metadata": { "event_code": "organizations_opt_out_ai_services_policy", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "AWS Organizations is not in-use for this AWS Account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "gen-ai" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/organizations/latest/userguide/disable-policy-type.html", "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_all.html", "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_syntax.html" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam" ], "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "NIST-CSF-2.0": [ "rm_1", "rr_1", "rr_2", "po_3" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Organizations** is assessed for an AI services opt-out policy that sets `services.default.opt_out_policy` to `optOut` and blocks child overrides via `@@operators_allowed_for_child_policies` set to `@@none`.", "title": "AWS Organization has opted out of all AI services and child accounts cannot override the policy", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Effects/Data Exposure" ], "uid": "prowler-aws-organizations_opt_out_ai_services_policy-211203495394-us-east-1-unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:organizations::211203495394:unknown", "id": "unknown", "status": "NOT_AVAILABLE", "master_id": "", "policies": {}, "delegated_administrators": null } }, "group": { "name": "organizations" }, "labels": [], "name": "unknown", "type": "Other", "uid": "arn:aws:organizations::211203495394:unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Establish an org-wide AI services opt-out: set the default to `optOut` and prohibit child policy overrides (`@@none`). Apply at the highest scope, gate exceptions through change control, and review periodically. Align with **least privilege** and **data minimization** to prevent unintended content sharing with managed AI services.", "references": [ "https://hub.prowler.com/check/organizations_opt_out_ai_services_policy" ] }, "risk_details": "Without an enforced opt-out, AI services may store and use your content for model training, weakening **confidentiality** and **data sovereignty**. If child accounts can override, they can re-enable data use, risking unintended cross-Region retention and exposure of logs, documents, or code processed by these services.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Organizations is not in-use for this AWS Account.", "metadata": { "event_code": "organizations_scp_check_deny_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "AWS Organizations is not in-use for this AWS Account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "identity-access" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-iam", "ksi-piy" ], "CCC-v2025.10": [ "CCC.Core.CN06.AR01", "CCC.Core.CN06.AR02" ], "KISA-ISMS-P-2023-korean": [ "2.10.2" ], "KISA-ISMS-P-2023": [ "2.10.2" ], "C5-2025": [ "PS-02.01B", "PS-02.01AS", "PS-02.02AS", "PSS-12.02AC" ], "SecNumCloud-3.2": [ "9.1", "19.2" ], "AWS-Account-Security-Onboarding": [ "Block unused regions" ], "NIST-CSF-2.0": [ "rm_1", "rr_1", "rr_2", "po_3", "po_4", "ov_3" ], "ENS-RD2022": [ "op.acc.4.aws.iam.1", "op.acc.4.aws.iam.8" ], "MITRE-ATTACK": [ "T1078", "T1535" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Organizations SCPs** limit account actions to approved regions using conditions on `aws:RequestedRegion`.\n\nThis evaluates whether policies exist and fully restrict access to the configured allowlist, rather than only some regions.", "title": "AWS Organization restricts operations to only the configured AWS Regions with SCP policies", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "uid": "prowler-aws-organizations_scp_check_deny_regions-211203495394-us-east-1-unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:organizations::211203495394:unknown", "id": "unknown", "status": "NOT_AVAILABLE", "master_id": "", "policies": {}, "delegated_administrators": null } }, "group": { "name": "organizations" }, "labels": [], "name": "unknown", "type": "Other", "uid": "arn:aws:organizations::211203495394:unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enforce Region governance with **SCPs** that allow only approved regions via `aws:RequestedRegion` conditions (deny-by-default).\n\nApply across relevant OUs and accounts, with narrow exceptions for required global services. Review often; align to least privilege, data residency, and continuous monitoring.", "references": [ "https://hub.prowler.com/check/organizations_scp_check_deny_regions" ] }, "risk_details": "Without comprehensive Region limits, users or attackers can deploy resources in ungoverned locations, bypassing monitoring and guardrails.\n\nImpacts:\n- Data outside approved jurisdictions (confidentiality)\n- Policy gaps and drift (integrity)\n- IR blind spots and unexpected cost (availability)", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "AWS Organizations is not in-use for this AWS Account.", "metadata": { "event_code": "organizations_tags_policies_enabled_and_attached", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "AWS Organizations is not in-use for this AWS Account.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html" ], "notes": "", "compliance": { "NIS2": [ "11.5.2.a" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-piy" ], "KISA-ISMS-P-2023-korean": [ "2.1.3" ], "KISA-ISMS-P-2023": [ "2.1.3" ], "C5-2025": [ "AM-09.01B" ], "ISO27001-2022": [ "A.5.13" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "ov_3" ], "ENS-RD2022": [ "op.exp.1.aws.sys.2", "op.exp.1.aws.tag.1", "op.exp.10.aws.tag.1", "mp.info.6.aws.tag.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Organizations** tag policies are evaluated for their presence and attachment to organization targets (accounts or OUs), distinguishing between no policies, policies defined but not attached, and policies attached to at least one target.", "title": "AWS Organization has tag policies enabled and attached", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-organizations_tags_policies_enabled_and_attached-211203495394-us-east-1-unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:organizations::211203495394:unknown", "id": "unknown", "status": "NOT_AVAILABLE", "master_id": "", "policies": {}, "delegated_administrators": null } }, "group": { "name": "organizations" }, "labels": [], "name": "unknown", "type": "Other", "uid": "arn:aws:organizations::211203495394:unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Enable **tag policies** and attach them to relevant roots/OUs/accounts. Define mandatory keys (e.g., `Environment`, `CostCenter`) with allowed values. Apply **defense in depth** by using tags in IAM conditions and SCPs. Start with validation-only, then enforce, and continuously monitor compliance across accounts.", "references": [ "https://hub.prowler.com/check/organizations_tags_policies_enabled_and_attached" ] }, "risk_details": "Absent or unattached tag policies cause inconsistent or missing tags, undermining:\n- **Confidentiality** via bypassed tag-based access conditions\n- **Integrity** through misclassified resources and drift\n- **Availability** when automation, cost routing, or incident scoping that rely on tags break", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No Resource Explorer Indexes found.", "metadata": { "event_code": "resourceexplorer2_indexes_found", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "No Resource Explorer Indexes found.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "forensics-ready" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/resource-explorer/latest/userguide/manage-service-turn-on-region.html" ], "notes": "", "compliance": { "CSA-CCM-4.0": [ "DCS-06" ], "KISA-ISMS-P-2023-korean": [ "2.9.2" ], "KISA-ISMS-P-2023": [ "2.9.2" ], "ENS-RD2022": [ "op.exp.1.aws.re.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Resource Explorer** has user-owned **indexes** present in the account. The assessment determines whether at least one index exists in any enabled Region for resource cataloging and search.", "title": "Resource Explorer indexes exist", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-resourceexplorer2_indexes_found-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "resourceexplorer2" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:resource-explorer:us-east-1:211203495394:index" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Create **Resource Explorer indexes** in all active Regions and designate an **aggregator index** for cross-Region search. Apply least-privilege access to views, align with tagging standards, and routinely verify indexing status. This improves inventory accuracy, supports defense-in-depth, and speeds detection and remediation.", "references": [ "https://hub.prowler.com/check/resourceexplorer2_indexes_found" ] }, "risk_details": "Absent indexes reduce asset visibility, creating blind spots where misconfigured or orphaned resources go unnoticed. This degrades **confidentiality** (unseen public exposure), **integrity** (unauthorized changes undetected), and **availability** (slower containment and recovery), prolonging incident response and enabling lateral movement.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-ap-northeast-1-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-1", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:ap-northeast-1:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "ap-northeast-1", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:ap-northeast-1:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-1" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-ap-northeast-2-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-2", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:ap-northeast-2:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "ap-northeast-2", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:ap-northeast-2:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-2" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-ap-northeast-3-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-northeast-3", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:ap-northeast-3:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "ap-northeast-3", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:ap-northeast-3:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-northeast-3" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-ap-south-1-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-south-1", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:ap-south-1:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "ap-south-1", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:ap-south-1:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-south-1" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-ap-southeast-1-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-1", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:ap-southeast-1:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "ap-southeast-1", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:ap-southeast-1:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-1" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-ap-southeast-2-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ap-southeast-2", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:ap-southeast-2:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "ap-southeast-2", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:ap-southeast-2:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ap-southeast-2" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-ca-central-1-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "ca-central-1", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:ca-central-1:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "ca-central-1", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:ca-central-1:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "ca-central-1" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-eu-central-1-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-central-1", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:eu-central-1:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "eu-central-1", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:eu-central-1:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-central-1" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-eu-north-1-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-north-1", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:eu-north-1:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "eu-north-1", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:eu-north-1:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-north-1" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-eu-west-1-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-1", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:eu-west-1:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "eu-west-1", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:eu-west-1:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-1" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-eu-west-2-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-2", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:eu-west-2:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "eu-west-2", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:eu-west-2:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-2" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-eu-west-3-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "eu-west-3", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:eu-west-3:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "eu-west-3", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:eu-west-3:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "eu-west-3" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-sa-east-1-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "sa-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:sa-east-1:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "sa-east-1", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:sa-east-1:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "sa-east-1" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-us-east-1-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:us-east-1:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "us-east-1", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:us-east-1:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-us-east-2-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-2", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:us-east-2:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "us-east-2", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:us-east-2:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-2" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-us-west-1-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-1", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:us-west-1:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "us-west-1", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:us-west-1:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-1" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Security Hub is not enabled.", "metadata": { "event_code": "securityhub_enabled", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 4, "severity": "High", "status": "New", "status_code": "FAIL", "status_detail": "Security Hub is not enabled.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html" ], "notes": "", "compliance": { "HIPAA": [ "164_308_a_1_ii_d", "164_308_a_3_ii_a", "164_308_a_5_ii_c", "164_308_a_6_i", "164_308_a_6_ii", "164_308_a_8", "164_312_b", "164_312_e_2_i" ], "FedRAMP-Low-Revision-4": [ "ac-2", "ac-17", "ca-7", "ir-4" ], "CIS-6.0": [ "5.16" ], "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-inr" ], "NIST-800-53-Revision-5": [ "au_6_1", "au_6_5", "au_12_3", "au_14_a", "au_14_b", "ca_2_d", "ca_7", "ca_7_b", "pm_14_a_1", "pm_14_b", "pm_31" ], "RBI-Cyber-Security-Framework": [ "annex_i_7_4" ], "GxP-EU-Annex-11": [ "1-risk-management" ], "CIS-2.0": [ "4.16" ], "CSA-CCM-4.0": [ "A&A-02", "A&A-04", "CCC-07", "GRC-05", "LOG-03", "SEF-06" ], "CISA": [ "your-systems-3", "your-crisis-response-2" ], "PCI-4.0": [ "10.2.1.1.31", "10.4.1.1.5", "10.4.1.4", "10.4.2.5", "10.6.3.36", "10.7.1.6", "10.7.2.6", "A3.3.1.9", "A3.5.1.9" ], "FFIEC": [ "d2-is-is-b-1", "d2-ti-ti-b-1", "d2-ti-ti-b-2", "d2-ti-ti-b-3", "d3-dc-an-b-1", "d3-dc-an-b-2", "d3-dc-ev-b-3", "d3-dc-th-b-1", "d5-dr-de-b-1", "d5-dr-de-b-3" ], "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2" ], "ProwlerThreatScore-1.0": [ "3.3.17" ], "CIS-4.0.1": [ "4.16" ], "AWS-Well-Architected-Framework-Security-Pillar": [ "SEC04-BP04" ], "CIS-3.0": [ "4.16" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2" ], "SOC2": [ "cc_3_1", "cc_6_8", "cc_7_1", "cc_7_2", "cc_7_3", "cc_7_4" ], "ISO27001-2022": [ "A.5.1", "A.8.23" ], "SecNumCloud-3.2": [ "12.9", "16.2", "18.3", "18.4" ], "NIST-800-53-Revision-4": [ "ac_2_1", "ac_2_4", "ac_2_12", "ac_2", "ac_17_1", "au_6_1", "au_6_3", "ca_7", "sa_10", "si_4_2", "si_4_4", "si_4_5", "si_4_16", "si_4" ], "NIST-CSF-1.1": [ "ae_2", "ae_4", "cm_1", "cm_2", "cm_3", "cm_4", "cm_5", "cm_6", "cm_7", "cp_4", "ra_1", "ra_2", "ra_3", "ra_5", "sc_4", "ds_5", "ds_8" ], "CIS-5.0": [ "4.16" ], "CIS-1.5": [ "4.16" ], "AWS-Account-Security-Onboarding": [ "Enabled security services", "Verify that events are present in SecurityHub aggregated view", "Deploy solution to alert on at least critical new findings", "Apply SecurityHub Central Configuration for Organization", "Enable/disable additional standards and controls", "Confirm that findings are being visible in the aggregated view", "Ensure that there are no critical (and considered critical) findings present in account" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ], "FedRamp-Moderate-Revision-4": [ "ac-2-1", "ac-2-4", "ac-2-12-a", "ac-2-g", "ac-17-1", "au-6-1-3", "ca-7-a-b", "ir-4-1", "ir-4-1", "ir-6-1", "ir-7-1", "sa-10", "si-4-16", "si-4-2", "si-4-4", "si-4-5", "si-4-a-b-c" ], "GxP-21-CFR-Part-11": [ "11.300-d" ], "NIST-800-171-Revision-2": [ "3_1_12", "3_3_1", "3_3_4", "3_3_5", "3_6_1", "3_6_2", "3_11_2", "3_11_3", "3_12_4", "3_13_1", "3_14_1", "3_14_2", "3_14_3", "3_14_6", "3_14_7" ], "ENS-RD2022": [ "op.exp.7.aws.sh.1", "op.mon.2.aws.sh.1", "op.mon.3.r1.aws.sh.1", "op.mon.3.r2.aws.sh.1" ], "MITRE-ATTACK": [ "T1190", "T1078", "T1098", "T1562", "T1110", "T1530", "T1580" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Security Hub** is `ACTIVE` in the Region and has at least one enabled **security standard** or connected **integration**. Otherwise, it is either not enabled or enabled without standards/integrations.", "title": "Security Hub is enabled with standards or integrations configured", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards" ], "uid": "prowler-aws-securityhub_enabled-211203495394-us-west-2-hub/unknown" }, "resources": [ { "cloud_partition": "aws", "region": "us-west-2", "data": { "details": "", "metadata": { "arn": "arn:aws:securityhub:us-west-2:211203495394:hub/unknown", "id": "hub/unknown", "status": "NOT_AVAILABLE", "standards": "", "integrations": "", "region": "us-west-2", "tags": null } }, "group": { "name": "securityhub" }, "labels": [], "name": "hub/unknown", "type": "Other", "uid": "arn:aws:securityhub:us-west-2:211203495394:hub/unknown" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-west-2" }, "remediation": { "desc": "- Enable in all required accounts/Regions\n- Turn on relevant **standards** (`AWS FSBP`, `CIS`)\n- Connect AWS and third-party **integrations**\n- Use **central configuration** and **least privilege**\n- Automate triage and monitor continuously for **defense in depth**", "references": [ "https://hub.prowler.com/check/securityhub_enabled" ] }, "risk_details": "Absent **Security Hub coverage** or standards, security signals are fragmented and **control checks** don't run. High-risk findings can be missed or delayed, enabling data exfiltration, persistence, and lateral movement. This reduces **visibility** and undermines **confidentiality, integrity, and availability** across accounts/Regions.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "No SSM Incidents replication set exists.", "metadata": { "event_code": "ssmincidents_enabled_with_plans", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "No SSM Incidents replication set exists.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/incident-manager/latest/userguide/response-plans.html" ], "notes": "", "compliance": { "NIS2": [ "2.1.1", "2.1.2.a", "2.1.2.i", "3.1.1", "3.1.2.a", "3.1.2.c", "3.1.2.d", "3.5.1", "3.6.1", "3.6.2", "3.6.3", "4.3.1", "5.1.7.b", "12.1.2.c", "12.2.2.b" ], "CSA-CCM-4.0": [ "BCR-09", "SEF-03" ], "KISA-ISMS-P-2023-korean": [ "2.10.2", "2.11.1" ], "KISA-ISMS-P-2023": [ "2.10.2", "2.11.1" ], "C5-2025": [ "OIS-03.02B", "OIS-03.05B", "OIS-03.06B", "OIS-05.03B", "OIS-08.01B", "OIS-08.09B", "OPS-13.02B", "OPS-13.03AC", "OPS-22.08B", "DEV-15.01B", "SIM-01.02AC", "SIM-02.01B", "SIM-03.01B", "SIM-03.04B", "SIM-04.01B", "SIM-06.01B", "BCM-01.05B" ], "NIST-CSF-2.0": [ "ip_9", "rp_1" ], "ENS-RD2022": [ "op.exp.9.aws.img.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**Incident Manager** uses a **replication set** and **response plans**. This evaluates whether a replication set exists and is `ACTIVE`, and that at least one response plan is configured for coordinated incident handling.", "title": "SSM Incidents replication set is ACTIVE and has at least one response plan", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Software and Configuration Checks/Industry and Regulatory Standards/NIST CSF Controls (USA)" ], "uid": "prowler-aws-ssmincidents_enabled_with_plans-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "ssmincidents" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:ssm-incidents:us-east-1:211203495394:replication-set" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Establish an `ACTIVE` **replication set** and create **response plans** that define engagement, escalation, runbooks, severity, and communication.\n\nApply **least privilege** to automation roles, test plans regularly, integrate with monitoring to trigger them, and use **defense in depth** with redundant contacts and Regions.", "references": [ "https://hub.prowler.com/check/ssmincidents_enabled_with_plans" ] }, "risk_details": "Without an `ACTIVE` replication set or response plans, incidents lack coordinated engagement and automation, raising MTTR and impacting availability and integrity.\n\nThreats include prolonged outages, lateral movement, and data exfiltration from delayed containment and misrouted escalation.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Amazon Web Services Premium Support Subscription is required to use this service.", "metadata": { "event_code": "trustedadvisor_errors_and_warnings", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "MANUAL", "status_detail": "Amazon Web Services Premium Support Subscription is required to use this service.", "status_id": 1, "unmapped": { "related_url": "", "categories": [], "depends_on": [], "related_to": [], "additional_urls": [ "https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/", "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/TrustedAdvisor/checks.html" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.10.1", "2.10.2", "2.11.3" ], "KISA-ISMS-P-2023": [ "2.10.1", "2.10.2", "2.11.3" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_2", "ov_3" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS Trusted Advisor** check statuses are assessed to identify items in `warning` or `error`. The finding reflects the state reported by Trusted Advisor across categories such as **Security**, **Fault Tolerance**, **Service Limits**, and **Cost**, indicating where configurations or quotas require attention.", "title": "Trusted Advisor check has no errors or warnings", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-trustedadvisor_errors_and_warnings-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": {} }, "group": { "name": "trustedadvisor" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:trusted-advisor:us-east-1:211203495394:account" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Adopt a continuous process to remediate Trusted Advisor findings:\n- Prioritize **`error`** then `warning`\n- Assign ownership and SLAs\n- Integrate alerts with workflows\n- Enforce **least privilege**, segmentation, encryption, MFA, and tested backups\n- Reassess regularly to confirm fixes and prevent regression", "references": [ "https://hub.prowler.com/check/trustedadvisor_errors_and_warnings" ] }, "risk_details": "Unaddressed **warnings/errors** can leave misconfigurations that impact CIA:\n- **Confidentiality**: public access or weak auth exposes data\n- **Integrity**: overly permissive settings allow unwanted changes\n- **Availability**: limit exhaustion or poor resilience triggers outages\nThey can also increase unnecessary cost.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "Amazon Web Services Premium Support Plan isn't subscribed.", "metadata": { "event_code": "trustedadvisor_premium_support_plan_subscribed", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 2, "severity": "Low", "status": "New", "status_code": "FAIL", "status_detail": "Amazon Web Services Premium Support Plan isn't subscribed.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://www.trendmicro.com/trendaivisiononecloudriskmanagement-staging/knowledge-base/aws/Support/support-plan.html", "https://aws.amazon.com/premiumsupport/plans/" ], "notes": "", "compliance": { "FedRAMP-20x-KSI-Low-25.05C": [ "ksi-piy", "ksi-tpr" ], "C5-2025": [ "SSO-05.06B" ], "NIST-CSF-2.0": [ "rm_1", "po_3", "po_4", "ov_3" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "**AWS account** is subscribed to an **AWS Premium Support plan** (e.g., Business or Enterprise)", "title": "AWS account is subscribed to an AWS Premium Support plan", "types": [ "Software and Configuration Checks/AWS Security Best Practices" ], "uid": "prowler-aws-trustedadvisor_premium_support_plan_subscribed-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "enabled": false } }, "group": { "name": "trustedadvisor" }, "labels": [], "name": "211203495394", "type": "Other", "uid": "arn:aws:trusted-advisor:us-east-1:211203495394:account" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Adopt **Business** or higher for production and mission-critical accounts.\n- Integrate Support into IR with defined contacts/severity\n- Enforce **least privilege** for case access\n- Use Trusted Advisor for proactive hardening\n- If opting out, ensure an equivalent 24/7 support and escalation path", "references": [ "https://hub.prowler.com/check/trustedadvisor_premium_support_plan_subscribed" ] }, "risk_details": "Without **Premium Support**, critical incidents face slower response, reducing **availability** and delaying containment of security events. Limited Trusted Advisor coverage lets **misconfigurations** persist, risking **data exposure** and **privilege misuse**. Lack of expert guidance increases change risk during production impacts.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" }, { "message": "VPCs found only in one region.", "metadata": { "event_code": "vpc_different_regions", "product": { "name": "Prowler", "uid": "prowler", "vendor_name": "Prowler", "version": "5.23.0" }, "profiles": [ "cloud", "datetime" ], "tenant_uid": "", "version": "1.5.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "VPCs found only in one region.", "status_id": 1, "unmapped": { "related_url": "", "categories": [ "resilience" ], "depends_on": [], "related_to": [], "additional_urls": [ "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-example-private-subnets-nat.html", "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html" ], "notes": "", "compliance": { "KISA-ISMS-P-2023-korean": [ "2.9.2" ], "KISA-ISMS-P-2023": [ "2.9.2" ], "C5-2025": [ "PS-02.01B", "PS-02.01AS", "PS-02.02AS" ], "ISO27001-2022": [ "A.8.20", "A.8.21", "A.8.22" ], "ENS-RD2022": [ "mp.com.4.r1.aws.vpc.1", "mp.com.4.r3.aws.vpc.1" ] }, "scan_id": "019d847e-828b-7cb7-be51-9c11d847cee1", "provider_uid": "211203495394", "provider": "aws" }, "activity_name": "Create", "activity_id": 1, "finding_info": { "created_time": 1776044376, "created_time_dt": "2026-04-13T01:39:36.715801", "desc": "Non-default **VPCs** are evaluated across the account to determine whether they exist in **more than one region**. The result reflects if your custom network topology is regionally distributed or concentrated in a single region.", "title": "VPCs are present in more than one region", "types": [ "Software and Configuration Checks/AWS Security Best Practices", "Effects/Denial of Service" ], "uid": "prowler-aws-vpc_different_regions-211203495394-us-east-1-211203495394" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "data": { "details": "", "metadata": { "vpc-00edf4476fa81d898": { "arn": "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-00edf4476fa81d898", "id": "vpc-00edf4476fa81d898", "name": "cfi-1776044303-vpc-cn03-allowed-requester-01", "default": false, "in_use": false, "cidr_block": "10.40.0.0/20", "flow_log": false, "region": "us-east-1", "subnets": [], "tags": [ { "Key": "PeerClass", "Value": "allowed" }, { "Key": "Environment", "Value": "cfi-test" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControl", "Value": "CCC.VPC.CN03" }, { "Key": "Name", "Value": "cfi-1776044303-vpc-cn03-allowed-requester-01" }, { "Key": "team", "Value": "cfi-team" }, { "Key": "AutoCleanup", "Value": "true" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "CFIVpcRole", "Value": "cn03-peer-test-vpc" }, { "Key": "ManagedBy", "Value": "Terraform" } ] }, "vpc-08678ebdbec637832": { "arn": "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-08678ebdbec637832", "id": "vpc-08678ebdbec637832", "name": "cfi-1776044303-vpc-cn03-disallowed-requester-02", "default": false, "in_use": false, "cidr_block": "10.30.16.0/20", "flow_log": false, "region": "us-east-1", "subnets": [], "tags": [ { "Key": "CFIVpcRole", "Value": "cn03-peer-test-vpc" }, { "Key": "Environment", "Value": "cfi-test" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "Name", "Value": "cfi-1776044303-vpc-cn03-disallowed-requester-02" }, { "Key": "CFIControl", "Value": "CCC.VPC.CN03" }, { "Key": "PeerClass", "Value": "disallowed" }, { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "AutoCleanup", "Value": "true" }, { "Key": "team", "Value": "cfi-team" } ] }, "vpc-06343230833672ab6": { "arn": "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-06343230833672ab6", "id": "vpc-06343230833672ab6", "name": "cfi-1776044303-vpc-cn03-disallowed-requester-01", "default": false, "in_use": false, "cidr_block": "10.30.0.0/20", "flow_log": false, "region": "us-east-1", "subnets": [], "tags": [ { "Key": "team", "Value": "cfi-team" }, { "Key": "CFIControl", "Value": "CCC.VPC.CN03" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "Name", "Value": "cfi-1776044303-vpc-cn03-disallowed-requester-01" }, { "Key": "PeerClass", "Value": "disallowed" }, { "Key": "Environment", "Value": "cfi-test" }, { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "CFIVpcRole", "Value": "cn03-peer-test-vpc" }, { "Key": "AutoCleanup", "Value": "true" } ] }, "vpc-030739f6bd57beef0": { "arn": "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-030739f6bd57beef0", "id": "vpc-030739f6bd57beef0", "name": "cfi-1776044303-vpc-cn03-non-allowlisted-requester-01", "default": false, "in_use": false, "cidr_block": "10.50.0.0/20", "flow_log": false, "region": "us-east-1", "subnets": [], "tags": [ { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "Environment", "Value": "cfi-test" }, { "Key": "CFIVpcRole", "Value": "cn03-peer-test-vpc" }, { "Key": "team", "Value": "cfi-team" }, { "Key": "AutoCleanup", "Value": "true" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIControl", "Value": "CCC.VPC.CN03" }, { "Key": "Name", "Value": "cfi-1776044303-vpc-cn03-non-allowlisted-requester-01" } ] }, "vpc-0232d940ac1e052fc": { "arn": "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-0232d940ac1e052fc", "id": "vpc-0232d940ac1e052fc", "name": "cfi-1776044303-vpc", "default": false, "in_use": false, "cidr_block": "10.20.0.0/16", "flow_log": true, "region": "us-east-1", "subnets": [ { "arn": "arn:aws:ec2:us-east-1:211203495394:subnet/subnet-05995c19463646e51", "id": "subnet-05995c19463646e51", "name": "cfi-1776044303-vpc-public-us-east-1a", "default": false, "vpc_id": "vpc-0232d940ac1e052fc", "cidr_block": "10.20.0.0/24", "availability_zone": "us-east-1a", "public": true, "in_use": false, "nat_gateway": false, "region": "us-east-1", "mapPublicIpOnLaunch": false, "tags": [ { "Key": "Name", "Value": "cfi-1776044303-vpc-public-us-east-1a" }, { "Key": "Tier", "Value": "public" }, { "Key": "AutoCleanup", "Value": "true" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "team", "Value": "cfi-team" }, { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "Environment", "Value": "cfi-test" } ] }, { "arn": "arn:aws:ec2:us-east-1:211203495394:subnet/subnet-065481962db4b7fe7", "id": "subnet-065481962db4b7fe7", "name": "cfi-1776044303-vpc-public-us-east-1b", "default": false, "vpc_id": "vpc-0232d940ac1e052fc", "cidr_block": "10.20.1.0/24", "availability_zone": "us-east-1b", "public": true, "in_use": false, "nat_gateway": false, "region": "us-east-1", "mapPublicIpOnLaunch": false, "tags": [ { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "AutoCleanup", "Value": "true" }, { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "team", "Value": "cfi-team" }, { "Key": "Environment", "Value": "cfi-test" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "Name", "Value": "cfi-1776044303-vpc-public-us-east-1b" }, { "Key": "Tier", "Value": "public" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } ], "tags": [ { "Key": "AutoCleanup", "Value": "true" }, { "Key": "team", "Value": "cfi-team" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "Environment", "Value": "cfi-test" }, { "Key": "Name", "Value": "cfi-1776044303-vpc" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "Terraform" } ] }, "vpc-035f0b812cb80ea99": { "arn": "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-035f0b812cb80ea99", "id": "vpc-035f0b812cb80ea99", "name": "cfi-1776044303-vpc-cn03-allowed-requester-02", "default": false, "in_use": false, "cidr_block": "10.40.16.0/20", "flow_log": false, "region": "us-east-1", "subnets": [], "tags": [ { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "Environment", "Value": "cfi-test" }, { "Key": "team", "Value": "cfi-team" }, { "Key": "Name", "Value": "cfi-1776044303-vpc-cn03-allowed-requester-02" }, { "Key": "AutoCleanup", "Value": "true" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIVpcRole", "Value": "cn03-peer-test-vpc" }, { "Key": "CFIControl", "Value": "CCC.VPC.CN03" }, { "Key": "PeerClass", "Value": "allowed" } ] }, "vpc-08d29b9a77c3a1931": { "arn": "arn:aws:ec2:us-east-1:211203495394:vpc/vpc-08d29b9a77c3a1931", "id": "vpc-08d29b9a77c3a1931", "name": "cfi-1776044303-vpc-bad", "default": false, "in_use": false, "cidr_block": "10.21.0.0/16", "flow_log": false, "region": "us-east-1", "subnets": [ { "arn": "arn:aws:ec2:us-east-1:211203495394:subnet/subnet-0f8ca40eb465fa03a", "id": "subnet-0f8ca40eb465fa03a", "name": "cfi-1776044303-vpc-bad-public-us-east-1b", "default": false, "vpc_id": "vpc-08d29b9a77c3a1931", "cidr_block": "10.21.1.0/24", "availability_zone": "us-east-1b", "public": true, "in_use": false, "nat_gateway": false, "region": "us-east-1", "mapPublicIpOnLaunch": true, "tags": [ { "Key": "team", "Value": "cfi-team" }, { "Key": "CFIVpcRole", "Value": "bad" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "Name", "Value": "cfi-1776044303-vpc-bad-public-us-east-1b" }, { "Key": "Tier", "Value": "public" }, { "Key": "Environment", "Value": "cfi-test" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "AutoCleanup", "Value": "true" }, { "Key": "ManagedBy", "Value": "Terraform" } ] }, { "arn": "arn:aws:ec2:us-east-1:211203495394:subnet/subnet-0a2ded5ca5bc5253e", "id": "subnet-0a2ded5ca5bc5253e", "name": "cfi-1776044303-vpc-bad-public-us-east-1a", "default": false, "vpc_id": "vpc-08d29b9a77c3a1931", "cidr_block": "10.21.0.0/24", "availability_zone": "us-east-1a", "public": true, "in_use": false, "nat_gateway": false, "region": "us-east-1", "mapPublicIpOnLaunch": true, "tags": [ { "Key": "Tier", "Value": "public" }, { "Key": "CFIVpcRole", "Value": "bad" }, { "Key": "Environment", "Value": "cfi-test" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "Name", "Value": "cfi-1776044303-vpc-bad-public-us-east-1a" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" }, { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "team", "Value": "cfi-team" }, { "Key": "AutoCleanup", "Value": "true" } ] } ], "tags": [ { "Key": "Environment", "Value": "cfi-test" }, { "Key": "Owner", "Value": "cfi-owner" }, { "Key": "AutoCleanup", "Value": "true" }, { "Key": "ManagedBy", "Value": "Terraform" }, { "Key": "team", "Value": "cfi-team" }, { "Key": "Name", "Value": "cfi-1776044303-vpc-bad" }, { "Key": "Project", "Value": "CCC-CFI-Compliance" }, { "Key": "CFIVpcRole", "Value": "bad" }, { "Key": "CFIControlSet", "Value": "CCC.VPC" } ] } } }, "group": { "name": "vpc" }, "labels": [], "name": "211203495394", "type": "AwsEc2Vpc", "uid": "arn:aws:ec2:us-east-1:211203495394:vpc" } ], "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "name": "", "type": "AWS Account", "type_id": 10, "uid": "211203495394", "labels": [] }, "org": { "name": "", "ou_uid": "", "ou_name": "", "uid": "" }, "provider": "aws", "region": "us-east-1" }, "remediation": { "desc": "Adopt a **multi-region network design**:\n- Create VPCs in at least two regions for critical workloads\n- Replicate routing, security controls, and endpoints consistently\n- Apply **fault tolerance** and **defense in depth** with data replication and resilient DNS/failover to avoid single-region dependency", "references": [ "https://hub.prowler.com/check/vpc_different_regions" ] }, "risk_details": "Single-region VPC deployment weakens **availability** and **resilience**. A regional outage, service disruption, or network control misconfiguration can cause broad downtime, hinder recovery, and increase the **blast radius** of incidents impacting business continuity.", "time": 1776044376, "time_dt": "2026-04-13T01:39:36.715801", "type_uid": 200401, "type_name": "Detection Finding: Create" } ]