New RC6 including ENS as a new compliance type all formats

2026-02-10 14:55:00 +00:00 · 2020-12-01 10:03:59 +01:00
parent 30937c3275
commit 3d62aedf29
57 changed files with 85 additions and 14 deletions
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@
 - [Advanced Usage](#advanced-usage)
 - [Security Hub integration](#security-hub-integration)
 - [CodeBuild deployment](#codebuild-deployment)
- [Whitelist/allowlist or remove FAIL from resources](whitelist-allowlist-or-remove-fail-from-resources)
+- [Whitelist/allowlist or remove FAIL from resources](#whitelist-or-allowlist-or-remove-a-fail-from-resources)
 - [Fix](#how-to-fix-every-fail)
 - [Troubleshooting](#troubleshooting)
 - [Extras](#extras)
@@ -54,6 +54,7 @@ Read more about [CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-20
 - EKS-CIS
 - FFIEC
 - SOC2
+- ENS (Esquema Nacional de Seguridad of Spain)

 With Prowler you can:

--- a/checks/check116
+++ b/checks/check116
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check116="Low"
 CHECK_ASFF_TYPE_check116="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser"
 CHECK_ALTERNATE_check116="check116"
+CHECK_ASFF_COMPLIANCE_TYPE_check116="ens-op.acc.3.aws.iam.1"

 check116(){
  # "Ensure IAM policies are attached only to groups or roles (Scored)"
--- a/checks/check12
+++ b/checks/check12
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check12="High"
 CHECK_ASFF_TYPE_check12="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser"
 CHECK_ALTERNATE_check102="check12"
+CHECK_ASFF_COMPLIANCE_TYPE_check12="ens-op.acc.5.aws.iam.1"

 check12(){
  # "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
--- a/checks/check120
+++ b/checks/check120
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check120="Medium"
 CHECK_ASFF_TYPE_check120="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole"
 CHECK_ALTERNATE_check120="check120"
+CHECK_ASFF_COMPLIANCE_TYPE_check120="ens-op.acc.1.aws.iam.4"

 check120(){
  # "Ensure a support role has been created to manage incidents with AWS Support (Scored)"
--- a/checks/check121
+++ b/checks/check121
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check121="Medium"
 CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser"
 CHECK_ALTERNATE_check121="check121"
+CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5"

 check121(){
  # "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
--- a/checks/check13
+++ b/checks/check13
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check13="Medium"
 CHECK_ASFF_TYPE_check13="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser"
 CHECK_ALTERNATE_check103="check13"
+CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3,ens-op.acc.5.aws.iam.4"

 check13(){
  check_creds_used_in_last_days 90
--- a/checks/check14
+++ b/checks/check14
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check14="Medium"
 CHECK_ASFF_TYPE_check14="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser"
 CHECK_ALTERNATE_check104="check14"
+CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4,ens-op.acc.5.aws.iam.3"

 check14(){
  # "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
--- a/checks/check21
+++ b/checks/check21
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check21="High"
 CHECK_ASFF_TYPE_check21="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check201="check21"
+CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1,ens-op.mon.1.aws.trail.1"

 check21(){
  trail_count=0
--- a/checks/check22
+++ b/checks/check22
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check22="Medium"
 CHECK_ASFF_TYPE_check22="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check202="check22"
+CHECK_ASFF_COMPLIANCE_TYPE_check22="ens-op.exp.10.aws.trail.1"

 check22(){
  # "Ensure CloudTrail log file validation is enabled (Scored)"
--- a/checks/check23
+++ b/checks/check23
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check23="Critical"
 CHECK_ASFF_TYPE_check23="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket"
 CHECK_ALTERNATE_check203="check23"
+CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3,ens-op.exp.10.aws.trail.4"

 check23(){
  # "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
--- a/checks/check24
+++ b/checks/check24
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check24="Low"
 CHECK_ASFF_TYPE_check24="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check204="check24"
+CHECK_ASFF_COMPLIANCE_TYPE_check24="ens-op.exp.8.aws.cw.1"

 check24(){
  # "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
--- a/checks/check25
+++ b/checks/check25
@@ -15,6 +15,7 @@ CHECK_TYPE_check25="LEVEL1"
 CHECK_SEVERITY_check25="Medium"
 CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check205="check25"
+CHECK_ASFF_COMPLIANCE_TYPE_check25="ens-op.exp.1.aws.cfg.1"

 check25(){
  # "Ensure AWS Config is enabled in all regions (Scored)"
--- a/checks/check27
+++ b/checks/check27
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check27="Medium"
 CHECK_ASFF_TYPE_check27="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check207="check27"
+CHECK_ASFF_COMPLIANCE_TYPE_check27="ens-op.exp.10.aws.trail.5"

 check27(){
  # "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
--- a/checks/check29
+++ b/checks/check29
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check29="Medium"
 CHECK_ASFF_TYPE_check29="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc"
 CHECK_ALTERNATE_check209="check29"
+CHECK_ASFF_COMPLIANCE_TYPE_check29="ens-op.mon.1.aws.flow.1"

 check29(){
  # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
--- a/checks/check31
+++ b/checks/check31
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check31="Medium"
 CHECK_ASFF_TYPE_check31="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check301="check31"
+CHECK_ASFF_COMPLIANCE_TYPE_check31="ens-op.exp.8.aws.trail.2"

 check31(){
  check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"'
--- a/checks/check32
+++ b/checks/check32
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check32="Medium"
 CHECK_ASFF_TYPE_check32="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check302="check32"
+CHECK_ASFF_COMPLIANCE_TYPE_check32="ens-op.exp.8.aws.trail.4"

 check32(){
  check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"'
--- a/checks/check33
+++ b/checks/check33
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check33="Medium"
 CHECK_ASFF_TYPE_check33="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check303="check33"
+CHECK_ASFF_COMPLIANCE_TYPE_check33="ens-op.exp.8.aws.trail.5"

 check33(){
  check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"'
--- a/checks/check34
+++ b/checks/check34
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check34="Medium"
 CHECK_ASFF_TYPE_check34="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check304="check34"
+CHECK_ASFF_COMPLIANCE_TYPE_check34="ens-op.exp.8.aws.trail.6"

 check34(){
  check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy'
--- a/checks/check35
+++ b/checks/check35
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check35="Medium"
 CHECK_ASFF_TYPE_check35="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check305="check35"
+CHECK_ASFF_COMPLIANCE_TYPE_check35="ens-op.exp.8.aws.trail.1"

 check35(){
  check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging'
--- a/checks/check36
+++ b/checks/check36
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check36="Medium"
 CHECK_ASFF_TYPE_check36="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check306="check36"
+CHECK_ASFF_COMPLIANCE_TYPE_check36="ens-op.exp.8.aws.trail.3"

 check36(){
  check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"'
--- a/checks/check37
+++ b/checks/check37
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check37="Medium"
 CHECK_ASFF_TYPE_check37="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check307="check37"
+CHECK_ASFF_COMPLIANCE_TYPE_check37="ens-op.exp.11.aws.kms.1"

 check37(){
  check3x '\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion'
--- a/checks/check41
+++ b/checks/check41
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check41="High"
 CHECK_ASFF_TYPE_check41="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup"
 CHECK_ALTERNATE_check401="check41"
+CHECK_ASFF_COMPLIANCE_TYPE_check41="ens-mp.com.4.aws.sg.4"

 check41(){
  # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"
--- a/checks/check42
+++ b/checks/check42
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check42="High"
 CHECK_ASFF_TYPE_check42="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup"
 CHECK_ALTERNATE_check402="check42"
+CHECK_ASFF_COMPLIANCE_TYPE_check42="ens-mp.com.4.aws.sg.5"

 check42(){
  # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"
--- a/checks/check43
+++ b/checks/check43
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check43="Medium"
 CHECK_ASFF_TYPE_check43="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup"
 CHECK_ALTERNATE_check403="check43"
+CHECK_ASFF_COMPLIANCE_TYPE_check43="ens-mp.com.4.aws.sg.1"

 check43(){
  # "Ensure the default security group of every VPC restricts all traffic (Scored)"
--- a/checks/check_extra71
+++ b/checks/check_extra71
@@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra71="AwsIamUser"
 CHECK_ALTERNATE_extra701="extra71"
 CHECK_ALTERNATE_check71="extra71"
 CHECK_ALTERNATE_check701="extra71"
+CHECK_ASFF_COMPLIANCE_TYPE_extra71="ens-op.exp.10.aws.trail.2"

 extra71(){
  # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
--- a/checks/check_extra710
+++ b/checks/check_extra710
@@ -17,6 +17,7 @@ CHECK_TYPE_extra710="EXTRA"
 CHECK_SEVERITY_extra710="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance"
 CHECK_ALTERNATE_check710="extra710"
+CHECK_ASFF_COMPLIANCE_TYPE_extra710="ens-mp.com.4.aws.vpc.1"

 extra710(){
  # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
--- a/checks/check_extra7100
+++ b/checks/check_extra7100
@@ -21,6 +21,7 @@ CHECK_TYPE_extra7100="EXTRA"
 CHECK_SEVERITY_extra7100="Critical"
 CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy"
 CHECK_ALTERNATE_check7100="extra7100"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1"

 extra7100(){
  # "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)"
--- a/checks/check_extra713
+++ b/checks/check_extra713
@@ -16,6 +16,7 @@ CHECK_SCORED_extra713="NOT_SCORED"
 CHECK_TYPE_extra713="EXTRA"
 CHECK_SEVERITY_extra713="High"
 CHECK_ALTERNATE_check713="extra713"
+CHECK_ASFF_COMPLIANCE_TYPE_extra713="ens-op.mon.1.aws.duty.1"

 extra713(){
  # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
--- a/checks/check_extra728
+++ b/checks/check_extra728
@@ -18,6 +18,7 @@ CHECK_TYPE_extra728="EXTRA"
 CHECK_SEVERITY_extra728="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra728="AwsSqsQueue"
 CHECK_ALTERNATE_check728="extra728"
+CHECK_ASFF_COMPLIANCE_TYPE_extra728="ens-mp.info.3.sns.1"

 extra728(){
  for regx in $REGIONS; do
--- a/checks/check_extra729
+++ b/checks/check_extra729
@@ -18,6 +18,7 @@ CHECK_TYPE_extra729="EXTRA"
 CHECK_SEVERITY_extra729="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra729="AwsEc2Volume"
 CHECK_ALTERNATE_check729="extra729"
+CHECK_ASFF_COMPLIANCE_TYPE_extra729="ens-mp.info.3.aws.ebs.1"

 extra729(){
  # "Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)"
--- a/checks/check_extra733
+++ b/checks/check_extra733
@@ -17,6 +17,7 @@ CHECK_SCORED_extra733="NOT_SCORED"
 CHECK_TYPE_extra733="EXTRA"
 CHECK_SEVERITY_extra733="Low"
 CHECK_ALTERNATE_check733="extra733"
+CHECK_ASFF_COMPLIANCE_TYPE_extra733="ens-op.acc.1.aws.iam.1"

 extra733(){
  LIST_SAML_PROV=$($AWSCLI iam list-saml-providers $PROFILE_OPT --query 'SAMLProviderList[*].Arn' --output text |grep -v ^None)
@@ -26,6 +27,6 @@ extra733(){
      textInfo "SAML Provider $PROVIDER_NAME has been found"
    done
  else
-    textInfo "No SAML Provider found, add one and use STS"
+    textInfo "No SAML Provider found. Add one and use STS"
  fi
 }
--- a/checks/check_extra734
+++ b/checks/check_extra734
@@ -17,6 +17,7 @@ CHECK_TYPE_extra734="EXTRA"
 CHECK_SEVERITY_extra734="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra734="AwsS3Bucket"
 CHECK_ALTERNATE_check734="extra734"
+CHECK_ASFF_COMPLIANCE_TYPE_extra734="ens-mp.info.3.s3.1"

 extra734(){
  LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1)
--- a/checks/check_extra735
+++ b/checks/check_extra735
@@ -17,6 +17,7 @@ CHECK_TYPE_extra735="EXTRA"
 CHECK_SEVERITY_extra735="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra735="AwsRdsDbInstance"
 CHECK_ALTERNATE_check735="extra735"
+CHECK_ASFF_COMPLIANCE_TYPE_extra735="ens-mp.info.3.aws.rds.1"

 extra735(){
  textInfo "Looking for RDS Volumes in all regions...  "
--- a/checks/check_extra736
+++ b/checks/check_extra736
@@ -17,6 +17,7 @@ CHECK_TYPE_extra736="EXTRA"
 CHECK_SEVERITY_extra736="Critical"
 CHECK_ASFF_RESOURCE_TYPE_extra736="AwsKmsKey"
 CHECK_ALTERNATE_check736="extra736"
+CHECK_ASFF_COMPLIANCE_TYPE_extra736="ens-op.exp.11.aws.kms.2"

 extra736(){
  textInfo "Looking for KMS keys in all regions...  "
--- a/checks/check_extra737
+++ b/checks/check_extra737
@@ -17,6 +17,7 @@ CHECK_TYPE_extra737="EXTRA"
 CHECK_SEVERITY_extra737="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra737="AwsKmsKey"
 CHECK_ALTERNATE_check737="extra737"
+CHECK_ASFF_COMPLIANCE_TYPE_extra737="ens-op.exp.11.aws.kms.3"

 extra737(){
  textInfo "Looking for KMS keys in all regions...  "
--- a/checks/check_extra738
+++ b/checks/check_extra738
@@ -17,6 +17,7 @@ CHECK_TYPE_extra738="EXTRA"
 CHECK_SEVERITY_extra738="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra738="AwsCloudFrontDistribution"
 CHECK_ALTERNATE_check738="extra738"
+CHECK_ASFF_COMPLIANCE_TYPE_extra738="ens-mp.com.2.aws.front.1"

 extra738(){
    LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None)
--- a/checks/check_extra74
+++ b/checks/check_extra74
@@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra74="AwsEc2SecurityGroup"
 CHECK_ALTERNATE_extra704="extra74"
 CHECK_ALTERNATE_check74="extra74"
 CHECK_ALTERNATE_check704="extra74"
+CHECK_ASFF_COMPLIANCE_TYPE_extra74="ens-mp.com.4.aws.sg.2"

 extra74(){
  # "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"
--- a/checks/check_extra740
+++ b/checks/check_extra740
@@ -17,6 +17,7 @@ CHECK_TYPE_extra740="EXTRA"
 CHECK_SEVERITY_extra740="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra740="AwsEc2Snapshot"
 CHECK_ALTERNATE_check740="extra740"
+CHECK_ASFF_COMPLIANCE_TYPE_extra740="ens-mp.info.3.aws.ebs.3"

 extra740(){
  textInfo "Looking for EBS Snapshots in all regions...  "
--- a/checks/check_extra744
+++ b/checks/check_extra744
@@ -17,6 +17,7 @@ CHECK_TYPE_extra744="EXTRA"
 CHECK_SEVERITY_extra744="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra744="AwsApiGatewayRestApi"
 CHECK_ALTERNATE_check744="extra744"
+CHECK_ASFF_COMPLIANCE_TYPE_extra744="ens-mp.s.2.aws.waf.2"

 extra744(){
  for regx in $REGIONS; do
--- a/checks/check_extra749
+++ b/checks/check_extra749
@@ -17,6 +17,7 @@ CHECK_TYPE_extra749="EXTRA"
 CHECK_SEVERITY_extra749="High"
 CHECK_ASFF_RESOURCE_TYPE_extra749="AwsEc2SecurityGroup"
 CHECK_ALTERNATE_check749="extra749"
+CHECK_ASFF_COMPLIANCE_TYPE_extra749="ens-mp.com.4.aws.sg.6"

 extra749(){
  for regx in $REGIONS; do
--- a/checks/check_extra75
+++ b/checks/check_extra75
@@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra75="AwsEc2SecurityGroup"
 CHECK_ALTERNATE_extra705="extra75"
 CHECK_ALTERNATE_check75="extra75"
 CHECK_ALTERNATE_check705="extra75"
+CHECK_ASFF_COMPLIANCE_TYPE_extra75="ens-mp.com.4.aws.sg.3"

 extra75(){
  # "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)"
--- a/checks/check_extra750
+++ b/checks/check_extra750
@@ -17,6 +17,7 @@ CHECK_TYPE_extra750="EXTRA"
 CHECK_SEVERITY_extra750="High"
 CHECK_ASFF_RESOURCE_TYPE_extra750="AwsEc2SecurityGroup"
 CHECK_ALTERNATE_check750="extra750"
+CHECK_ASFF_COMPLIANCE_TYPE_extra750="ens-mp.com.4.aws.sg.7"

 extra750(){
  for regx in $REGIONS; do
--- a/checks/check_extra751
+++ b/checks/check_extra751
@@ -17,6 +17,7 @@ CHECK_TYPE_extra751="EXTRA"
 CHECK_SEVERITY_extra751="High"
 CHECK_ASFF_RESOURCE_TYPE_extra751="AwsEc2SecurityGroup"
 CHECK_ALTERNATE_check751="extra751"
+CHECK_ASFF_COMPLIANCE_TYPE_extra751="ens-mp.com.4.aws.sg.8"

 extra751(){
  for regx in $REGIONS; do
--- a/checks/check_extra752
+++ b/checks/check_extra752
@@ -17,6 +17,7 @@ CHECK_TYPE_extra752="EXTRA"
 CHECK_SEVERITY_extra752="High"
 CHECK_ASFF_RESOURCE_TYPE_extra752="AwsEc2SecurityGroup"
 CHECK_ALTERNATE_check752="extra752"
+CHECK_ASFF_COMPLIANCE_TYPE_extra752="ens-mp.com.4.aws.sg.9"

 extra752(){
  for regx in $REGIONS; do
--- a/checks/check_extra753
+++ b/checks/check_extra753
@@ -17,6 +17,7 @@ CHECK_TYPE_extra753="EXTRA"
 CHECK_SEVERITY_extra753="High"
 CHECK_ASFF_RESOURCE_TYPE_extra753="AwsEc2SecurityGroup"
 CHECK_ALTERNATE_check753="extra753"
+CHECK_ASFF_COMPLIANCE_TYPE_extra753="ens-mp.com.4.aws.sg.10"

 extra753(){
  for regx in $REGIONS; do
--- a/checks/check_extra754
+++ b/checks/check_extra754
@@ -17,6 +17,7 @@ CHECK_TYPE_extra754="EXTRA"
 CHECK_SEVERITY_extra754="High"
 CHECK_ASFF_RESOURCE_TYPE_extra754="AwsEc2SecurityGroup"
 CHECK_ALTERNATE_check754="extra754"
+CHECK_ASFF_COMPLIANCE_TYPE_extra754="ens-mp.com.4.aws.sg.11"

 extra754(){
  for regx in $REGIONS; do
--- a/checks/check_extra755
+++ b/checks/check_extra755
@@ -17,6 +17,7 @@ CHECK_TYPE_extra755="EXTRA"
 CHECK_SEVERITY_extra755="High"
 CHECK_ASFF_RESOURCE_TYPE_extra755="AwsEc2SecurityGroup"
 CHECK_ALTERNATE_check755="extra755"
+CHECK_ASFF_COMPLIANCE_TYPE_extra755="ens-mp.com.4.aws.sg.12"

 extra755(){
  for regx in $REGIONS; do
--- a/checks/check_extra761
+++ b/checks/check_extra761
@@ -16,6 +16,7 @@ CHECK_SCORED_extra761="NOT_SCORED"
 CHECK_TYPE_extra761="EXTRA"
 CHECK_SEVERITY_extra761="Medium"
 CHECK_ALTERNATE_check761="extra761"
+CHECK_ASFF_COMPLIANCE_TYPE_extra761="ens-mp.info.3.aws.ebs.2"

 extra761(){
  textInfo "Looking for EBS Default Encryption activation in all regions...  "
--- a/checks/check_extra764
+++ b/checks/check_extra764
@@ -17,6 +17,7 @@ CHECK_TYPE_extra764="EXTRA"
 CHECK_SEVERITY_extra764="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra764="AwsS3Bucket"
 CHECK_ALTERNATE_check764="extra764"
+CHECK_ASFF_COMPLIANCE_TYPE_extra764="ens-mp.com.2.aws.s3.1"

 extra764(){
  LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text --region $REGION|xargs -n1)
--- a/checks/check_extra773
+++ b/checks/check_extra773
@@ -17,6 +17,7 @@ CHECK_TYPE_extra773="EXTRA"
 CHECK_SEVERITY_extra773="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra773="AwsCloudFrontDistribution"
 CHECK_ALTERNATE_check773="extra773"
+CHECK_ASFF_COMPLIANCE_TYPE_extra773="ens-mp.s.2.aws.waf.1"

 extra773(){
  # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
--- a/checks/check_extra781
+++ b/checks/check_extra781
@@ -17,6 +17,7 @@ CHECK_TYPE_extra781="EXTRA"
 CHECK_SEVERITY_extra781="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra781="AwsElasticsearchDomain"
 CHECK_ALTERNATE_check781="extra781"
+CHECK_ASFF_COMPLIANCE_TYPE_extra781="ens-mp.info.3.aws.au.1"

 extra781(){
  for regx in $REGIONS; do
--- a/checks/check_extra792
+++ b/checks/check_extra792
@@ -17,6 +17,7 @@ CHECK_TYPE_extra792="EXTRA"
 CHECK_SEVERITY_extra792="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra792="AwsElbLoadBalancer"
 CHECK_ALTERNATE_check792="extra792"
+CHECK_ASFF_COMPLIANCE_TYPE_extra792="ens-mp.com.2.aws.elb.2"

 extra792(){
  # "Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)"
--- a/checks/check_extra793
+++ b/checks/check_extra793
@@ -17,6 +17,7 @@ CHECK_TYPE_extra793="EXTRA"
 CHECK_SEVERITY_extra793="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra793="AwsElbLoadBalancer"
 CHECK_ALTERNATE_check793="extra793"
+CHECK_ASFF_COMPLIANCE_TYPE_extra793="ens-mp.com.2.aws.elb.1"

 extra793(){
  # "Check if Elastic Load Balancers have encrypted listeners (Not Scored) (Not part of CIS benchmark)"
--- a/include/csv_header
+++ b/include/csv_header
@@ -15,5 +15,5 @@
 printCsvHeader() {
  >&2 echo ""
  >&2 echo "Generating \"${SEP}\" delimited report on stdout for profile $PROFILE, account $ACCOUNT_NUM"
-      echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}LEVEL${SEP}TITLE_TEXT${SEP}NOTES" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_CSV
+      echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}LEVEL${SEP}TITLE_TEXT${SEP}NOTES${SEP}COMPLIANCE" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_CSV
 }
--- a/include/html_report
+++ b/include/html_report
@@ -100,6 +100,7 @@ addHtmlHeader() {
              <th scope="col">Result</th>
              <th scope="col">AccountID</th>
              <th scope="col">Region</th>
+              <th scope="col">Compliance</th>
              <th scope="col">Group</th>
              <th scope="col">CheckID</th>
              <th style="width:40%" scope="col">Check Title</th>
--- a/include/outputs
+++ b/include/outputs
@@ -51,7 +51,7 @@ textPass(){
    REPREGION=$REGION
  fi
  if [[ "${MODES[@]}" =~ "csv" ]]; then
-    echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
+    echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
  fi
  if [[ "${MODES[@]}" =~ "json" ]]; then
    generateJsonOutput "$1" "Pass" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_JSON
@@ -88,7 +88,7 @@ textInfo(){
    REPREGION=$REGION
  fi
  if [[ "${MODES[@]}" =~ "csv" ]]; then
-    echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV}
+    echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV}
  fi
  if [[ "${MODES[@]}" =~ "json" ]]; then
    generateJsonOutput "$1" "Info" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON}
@@ -140,7 +140,7 @@ textFail(){
  fi

  if [[ "${MODES[@]}" =~ "csv" ]]; then
-    echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}${level}${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV}
+    echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}${level}${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV}
  fi
  if [[ "${MODES[@]}" =~ "json" ]]; then
    generateJsonOutput "$1" "${level}" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON}
@@ -211,9 +211,9 @@ textTitle(){
    :
  else
    if [[ "$ITEM_SCORED" == "Scored" ]]; then
-      echo -e "\n$BLUE $TITLE_ID $NORMAL $TITLE_TEXT $group_ids"
+      echo -e "\n$BLUE $TITLE_ID $NORMAL $TITLE_TEXT $6 $group_ids "
    else
-      echo -e "\n$PURPLE $TITLE_ID $TITLE_TEXT $NORMAL $group_ids"
+      echo -e "\n$PURPLE $TITLE_ID $TITLE_TEXT $6 $NORMAL $group_ids "
    fi
  fi
 }
@@ -232,6 +232,7 @@ generateJsonOutput(){
  --arg ITEM_LEVEL "$ITEM_LEVEL" \
  --arg TITLE_ID "$TITLE_ID" \
  --arg REPREGION "$REPREGION" \
+  --arg TYPE "$ASFF_COMPLIANCE_TYPE" \
  --arg TIMESTAMP "$(get_iso8601_timestamp)" \
  -n '{
    "Profile": $PROFILE,
@@ -245,6 +246,7 @@ generateJsonOutput(){
    "Control ID": $TITLE_ID,
    "Region": $REPREGION,
    "Timestamp": $TIMESTAMP,
+    "Compliance": $TYPE
  }'
 }

@@ -266,7 +268,8 @@ generateJsonAsffOutput(){
  --arg SEVERITY "$(echo $CHECK_SEVERITY| awk '{ print toupper($0) }')" \
  --arg TITLE_ID "$TITLE_ID" \
  --arg CHECK_ID "$CHECK_ID" \
-  --arg TYPE "$ASFF_TYPE" \
+  --arg TYPE "$ASFF_COMPLIANCE_TYPE" \
+  --arg COMPLIANCE_RELATED_REQUIREMENTS "$ASFF_COMPLIANCE_TYPE" \
  --arg RESOURCE_TYPE "$ASFF_RESOURCE_TYPE" \
  --arg REPREGION "$REPREGION" \
  --arg TIMESTAMP "$(get_iso8601_timestamp)" \
@@ -303,7 +306,8 @@ generateJsonAsffOutput(){
          }
      ],
      "Compliance": {
-          "Status": $STATUS
+          "Status": $STATUS,
+          "RelatedRequirements": [ $COMPLIANCE_RELATED_REQUIREMENTS ]
      }
  }'
 }
@@ -317,6 +321,7 @@ generateHtmlOutput(){
      echo '<td>INFO</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$ACCOUNT_NUM'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$REPREGION'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
+      echo '<td>'$ASFF_COMPLIANCE_TYPE'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$ITEM_LEVEL'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$TITLE_ID'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$TITLE_TEXT'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
@@ -329,6 +334,7 @@ generateHtmlOutput(){
      echo '<td>PASS</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$ACCOUNT_NUM'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$REPREGION'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
+      echo '<td>'$ASFF_COMPLIANCE_TYPE'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$ITEM_LEVEL'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$TITLE_ID'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$TITLE_TEXT'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
@@ -341,6 +347,7 @@ generateHtmlOutput(){
      echo '<td>FAIL</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$ACCOUNT_NUM'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$REPREGION'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
+      echo '<td>'$ASFF_COMPLIANCE_TYPE'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$ITEM_LEVEL'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$TITLE_ID'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$TITLE_TEXT'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
@@ -353,6 +360,7 @@ generateHtmlOutput(){
      echo '<td>WARN</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$ACCOUNT_NUM'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$REPREGION'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
+      echo '<td>'$ASFF_COMPLIANCE_TYPE'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$ITEM_LEVEL'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$TITLE_ID'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
      echo '<td>'$TITLE_TEXT'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
--- a/17
+++ b/17
@@ -32,7 +32,7 @@ OPTRED="[1;31m"
 OPTNORMAL="[0;39m"

 # Set the defaults variables
-PROWLER_VERSION=2.3.0RC5
+PROWLER_VERSION=2.3.0RC6
 PROWLER_DIR=$(dirname "$0")

 REGION=""
@@ -283,6 +283,7 @@ show_check_title() {
  local check_title=CHECK_TITLE_$1
  local check_scored=CHECK_SCORED_$1
  local check_type=CHECK_TYPE_$1
+  local check_asff_compliance_type=CHECK_ASFF_COMPLIANCE_TYPE_$1
  local group_ids
  local group_index
  # If requested ($2 is any non-null value) iterate all GROUP_CHECKS and produce a comma-separated list of all
@@ -297,7 +298,12 @@ show_check_title() {
      fi
    done
  fi
-  textTitle "${!check_id}" "${!check_title}" "${!check_scored}" "${!check_type}" "$group_ids"
+  # This shows ASFF_COMPLIANCE_TYPE if group used is ens, this si used to show ENS compliance ID control, can be used for other compliance groups as well.
+  if [[ ${GROUP_ID_READ} == "ens" ]];then
+    textTitle "${!check_id}" "${!check_title}" "${!check_scored}" "${!check_type}" "$group_ids" "(${!check_asff_compliance_type})"
+  else
+    textTitle "${!check_id}" "${!check_title}" "${!check_scored}" "${!check_type}" "$group_ids"
+  fi
 }

 # Function to show the title of a group, by numeric id
@@ -317,6 +323,8 @@ execute_check() {
  # See if this check defines an ASFF Type, if so, use this, falling back to a sane default
  # For a list of Types, see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#securityhub-findings-format-type-taxonomy
  local asff_type_var=CHECK_ASFF_TYPE_$1
+  local asff_compliance_type_var=CHECK_ASFF_COMPLIANCE_TYPE_$1
+

  local severity_var=CHECK_SEVERITY_$1
  
@@ -325,6 +333,7 @@ execute_check() {
  CHECK_ID="$1"

  ASFF_TYPE="${!asff_type_var:-Software and Configuration Checks}"
+  ASFF_COMPLIANCE_TYPE="${!asff_compliance_type_var:-Software and Configuration Checks}"
  # See if this check defines an ASFF Resource Type, if so, use this, falling back to a sane default
  # For a list of Resource Types, see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#asff-resources
  local asff_resource_type_var=CHECK_ASFF_RESOURCE_TYPE_$1
@@ -339,7 +348,7 @@ execute_check() {
  ignores="$(awk "/${1}/{print}" <(echo "${WHITELIST}"))"

  if [ ${alternate_name} ];then
-    if [[ ${alternate_name} == check1* || ${alternate_name} == extra71 ]];then
+    if [[ ${alternate_name} == check1* || ${alternate_name} == extra71 || ${alternate_name} == extra774 || ${alternate_name} == extra7123 ]];then
      if [ ! -s $TEMP_REPORT_FILE ];then
        genCredReport
        saveReport
@@ -363,7 +372,7 @@ execute_check() {
    local check_id_var=CHECK_ID_$1
    local check_id=${!check_id_var}
    if [ ${check_id} ]; then
-      if [[ ${check_id} == 1* || ${check_id} == 7.1 || ${check_id} == 7.74 ]];then
+      if [[ ${check_id} == 1* || ${check_id} == 7.1 || ${check_id} == 7.74 || ${check_id} == 7.123 ]];then
        if [ ! -s $TEMP_REPORT_FILE ];then
          genCredReport
          saveReport