feat(new_security_framework): AWS Well Architected Framework security pillar (#2382)

Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
2026-02-10 06:45:08 +00:00 · 2023-05-24 16:38:32 +02:00
parent ad3f3799fa
commit 735af02f59
7 changed files with 1455 additions and 14 deletions
--- a/docs/tutorials/compliance.md
+++ b/docs/tutorials/compliance.md
@@ -13,6 +13,7 @@ Currently, the available frameworks are:
 - `ens_rd2022_aws`
 - `aws_audit_manager_control_tower_guardrails_aws`
 - `aws_foundational_security_best_practices_aws`
+- `aws_well_architected_framework_security_pillar_aws`
 - `cisa_aws`
 - `fedramp_low_revision_4_aws`
 - `fedramp_moderate_revision_4_aws`
--- a/docs/tutorials/pentesting.md
+++ b/docs/tutorials/pentesting.md
@@ -11,7 +11,7 @@ The actual checks that have this funcionality are:
 1. autoscaling_find_secrets_ec2_launch_configuration
 - awslambda_function_no_secrets_in_code
 - awslambda_function_no_secrets_in_variables
- cloudformation_outputs_find_secrets
+- cloudformation_stack_outputs_find_secrets
 - ec2_instance_secrets_user_data
 - ecs_task_definitions_no_environment_secrets
 - ssm_document_secrets
--- a/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json
+++ b/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json
--- a/prowler/lib/check/compliance_models.py
+++ b/prowler/lib/check/compliance_models.py
@@ -39,10 +39,10 @@ class ENS_Requirements_Tipos(str, Enum):
 class ENS_Requirements(BaseModel):
    """ENS V3 Framework Requirements"""

-    IdGrupoControl: str
-    Marco: str
-    Categoria: str
-    DescripcionControl: str
+    IdGrupoControl: Optional[str]
+    Marco: Optional[str]
+    Categoria: Optional[str]
+    DescripcionControl: Optional[str]
    Tipo: ENS_Requirements_Tipos
    Nivel: ENS_Requirements_Nivel
    Dimensiones: list[ENS_Requirements_Dimensiones]
@@ -78,16 +78,31 @@ class CIS_Requirements_AssessmentStatus(str):
 class CIS_Requirements(BaseModel):
    """CIS Requirements"""

-    Section: str
+    Section: Optional[str]
    Profile: CIS_Requirements_Profile
    AssessmentStatus: CIS_Requirements_AssessmentStatus
-    Description: str
-    RationaleStatement: str
-    ImpactStatement: str
-    RemediationProcedure: str
-    AuditProcedure: str
-    AdditionalInformation: str
-    References: str
+    Description: Optional[str]
+    RationaleStatement: Optional[str]
+    ImpactStatement: Optional[str]
+    RemediationProcedure: Optional[str]
+    AuditProcedure: Optional[str]
+    AdditionalInformation: Optional[str]
+    References: Optional[str]
+
+
+# Well Architected Requirements
+class AWS_Well_Architected_Requirements(BaseModel):
+    """AWS Well Architected Requirements"""
+
+    Name: Optional[str]
+    WellArchitectedQuestionId: Optional[str]
+    WellArchitectedPracticeId: Optional[str]
+    Section: Optional[str]
+    SubSection: Optional[str]
+    LevelOfRisk: Optional[str]
+    AssessmentMethod: Optional[str]
+    Description: Optional[str]
+    ImplementationGuidanceUrl: Optional[str]


 # Base Compliance Model
@@ -96,8 +111,14 @@ class Compliance_Requirement(BaseModel):

    Id: str
    Description: str
+    Name: Optional[str]
    Attributes: list[
-        Union[CIS_Requirements, ENS_Requirements, Generic_Compliance_Requirements]
+        Union[
+            CIS_Requirements,
+            ENS_Requirements,
+            Generic_Compliance_Requirements,
+            AWS_Well_Architected_Requirements,
+        ]
    ]
    Checks: list[str]

--- a/prowler/lib/outputs/compliance.py
+++ b/prowler/lib/outputs/compliance.py
@@ -8,6 +8,7 @@ from prowler.config.config import orange_color, timestamp
 from prowler.lib.check.models import Check_Report
 from prowler.lib.logger import logger
 from prowler.lib.outputs.models import (
+    Check_Output_CSV_AWS_Well_Architected,
    Check_Output_CSV_CIS,
    Check_Output_CSV_ENS_RD2022,
    Check_Output_CSV_Generic_Compliance,
@@ -117,6 +118,47 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors):

                    csv_header = generate_csv_fields(Check_Output_CSV_CIS)

+            elif (
+                compliance.Framework == "AWS-Well-Architected-Framework-Security-Pillar"
+                and compliance.Provider == "AWS"
+            ):
+                compliance_output = compliance.Framework
+                if compliance.Version != "":
+                    compliance_output += "_" + compliance.Version
+                if compliance.Provider != "":
+                    compliance_output += "_" + compliance.Provider
+
+                compliance_output = compliance_output.lower().replace("-", "_")
+                if compliance_output in output_options.output_modes:
+                    for requirement in compliance.Requirements:
+                        requirement_description = requirement.Description
+                        requirement_id = requirement.Id
+                        for attribute in requirement.Attributes:
+                            compliance_row = Check_Output_CSV_AWS_Well_Architected(
+                                Provider=finding.check_metadata.Provider,
+                                Description=compliance.Description,
+                                AccountId=audit_info.audited_account,
+                                Region=finding.region,
+                                AssessmentDate=timestamp.isoformat(),
+                                Requirements_Id=requirement_id,
+                                Requirements_Description=requirement_description,
+                                Requirements_Attributes_Name=attribute.Name,
+                                Requirements_Attributes_WellArchitectedQuestionId=attribute.WellArchitectedQuestionId,
+                                Requirements_Attributes_WellArchitectedPracticeId=attribute.WellArchitectedPracticeId,
+                                Requirements_Attributes_Section=attribute.Section,
+                                Requirements_Attributes_SubSection=attribute.SubSection,
+                                Requirements_Attributes_LevelOfRisk=attribute.LevelOfRisk,
+                                Requirements_Attributes_AssessmentMethod=attribute.AssessmentMethod,
+                                Requirements_Attributes_Description=attribute.Description,
+                                Requirements_Attributes_ImplementationGuidanceUrl=attribute.ImplementationGuidanceUrl,
+                                Status=finding.status,
+                                StatusExtended=finding.status_extended,
+                                ResourceId=finding.resource_id,
+                                CheckId=finding.check_metadata.CheckID,
+                            )
+
+                csv_header = generate_csv_fields(Check_Output_CSV_AWS_Well_Architected)
+
            else:
                compliance_output = compliance.Framework
                if compliance.Version != "":
--- a/prowler/lib/outputs/file_descriptors.py
+++ b/prowler/lib/outputs/file_descriptors.py
@@ -13,6 +13,7 @@ from prowler.lib.outputs.html import add_html_header
 from prowler.lib.outputs.models import (
    Aws_Check_Output_CSV,
    Azure_Check_Output_CSV,
+    Check_Output_CSV_AWS_Well_Architected,
    Check_Output_CSV_CIS,
    Check_Output_CSV_ENS_RD2022,
    Check_Output_CSV_Generic_Compliance,
@@ -139,6 +140,19 @@ def fill_file_descriptors(output_modes, output_directory, output_filename, audit
                        )
                        file_descriptors.update({output_mode: file_descriptor})

+                    elif (
+                        output_mode
+                        == "aws_well_architected_framework_security_pillar_aws"
+                    ):
+                        filename = f"{output_directory}/{output_filename}_aws_well_architected_framework_security_pillar_aws{csv_file_suffix}"
+                        file_descriptor = initialize_file_descriptor(
+                            filename,
+                            output_mode,
+                            audit_info,
+                            Check_Output_CSV_AWS_Well_Architected,
+                        )
+                        file_descriptors.update({output_mode: file_descriptor})
+
                    else:
                        # Generic Compliance framework
                        filename = f"{output_directory}/{output_filename}_{output_mode}{csv_file_suffix}"
--- a/prowler/lib/outputs/models.py
+++ b/prowler/lib/outputs/models.py
@@ -550,6 +550,31 @@ class Check_Output_CSV_Generic_Compliance(BaseModel):
    CheckId: str


+class Check_Output_CSV_AWS_Well_Architected(BaseModel):
+    """
+    Check_Output_CSV_AWS_Well_Architected generates a finding's output in CSV AWS Well Architected Compliance format.
+    """
+
+    Provider: str
+    Description: str
+    AccountId: str
+    Region: str
+    AssessmentDate: str
+    Requirements_Attributes_Name: str
+    Requirements_Attributes_WellArchitectedQuestionId: str
+    Requirements_Attributes_WellArchitectedPracticeId: Optional[str]
+    Requirements_Attributes_Section: str
+    Requirements_Attributes_SubSection: str
+    Requirements_Attributes_LevelOfRisk: str
+    Requirements_Attributes_AssessmentMethod: str
+    Requirements_Attributes_Description: str
+    Requirements_Attributes_ImplementationGuidanceUrl: str
+    Status: str
+    StatusExtended: str
+    ResourceId: str
+    CheckId: str
+
+
 # JSON ASFF Output
 class ProductFields(BaseModel):
    ProviderName: str = "Prowler"