feat(categories): Remove old groups and use categories from metadata (#1523)

config/config.py

@@ -12,9 +12,6 @@ prowler_version = "3.0-beta-21Nov2022"
 orange_color = "\033[38;5;208m"
 banner_color = "\033[1;92m"
 
-# Groups
-groups_file = "groups.json"
-
 # Compliance
 compliance_specification_dir = "./compliance"
 

groups.json

@@ -1,40 +0,0 @@
-{
-  "aws": {
-    "gdpr": {
-      "checks": [
-        "s3_bucket_server_access_logging_enabled",
-        "s3_bucket_object_versioning",
-        "iam_avoid_root_usage",
-        "iam_user_mfa_enabled_console_access",
-        "iam_disable_90_days_credentials",
-        "iam_rotate_access_key_90_days",
-        "iam_root_mfa_enabled",
-        "iam_root_hardware_mfa_enabled",
-        "iam_no_root_access_key",
-        "iam_administrator_access_with_mfa",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
-        "ec2_ebs_snapshots_encrypted",
-        "ec2_ebs_public_snapshot"
-      ],
-      "description": "GDPR Readiness"
-    },
-    "pci": {
-      "checks": [
-        "iam_avoid_root_usage",
-        "iam_user_mfa_enabled_console_access",
-        "iam_disable_90_days_credentials",
-        "iam_rotate_access_key_90_days",
-        "iam_root_mfa_enabled",
-        "iam_root_hardware_mfa_enabled",
-        "iam_no_root_access_key",
-        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
-        "ec2_ebs_snapshots_encrypted",
-        "ec2_ebs_public_snapshot",
-        "s3_bucket_server_access_logging_enabled"
-      ],
-      "description": "PCI-DSS v3.2.1 Readiness"
-    }
-  }
-}

lib/check/check.py

@@ -4,12 +4,11 @@ import os
 import sys
 from pkgutil import walk_packages
 from types import ModuleType
-from typing import Any
 
 from alive_progress import alive_bar
 from colorama import Fore, Style
 
-from config.config import compliance_specification_dir, groups_file, orange_color
+from config.config import compliance_specification_dir, orange_color
 from lib.check.compliance_models import load_compliance_framework
 from lib.check.models import Check, Output_From_Options, load_check_metadata
 from lib.logger import logger
@@ -65,20 +64,6 @@ def exclude_checks_to_run(checks_to_execute: set, excluded_checks: list) -> set:
     return checks_to_execute
 
 
-# Exclude groups to run
-def exclude_groups_to_run(
-    checks_to_execute: set, excluded_groups: list, provider: str
-) -> set:
-    # Recover checks from the input groups
-    available_groups = parse_groups_from_file(groups_file)
-    checks_from_groups = load_checks_to_execute_from_groups(
-        available_groups, excluded_groups, provider
-    )
-    for check_name in checks_from_groups:
-        checks_to_execute.discard(check_name)
-    return checks_to_execute
-
-
 # Exclude services to run
 def exclude_services_to_run(
     checks_to_execute: set, excluded_services: list, provider: str
@@ -110,7 +95,7 @@ def parse_checks_from_file(input_file: str, provider: str) -> set:
     return checks_to_execute
 
 
-def list_services(provider: str) -> set:
+def list_services(provider: str) -> set():
     available_services = set()
     checks = recover_checks_from_provider(provider)
     for check_name in checks:
@@ -120,6 +105,22 @@ def list_services(provider: str) -> set:
     return sorted(available_services)
 
 
+def list_categories(provider: str, bulk_checks_metadata: dict) -> set():
+    available_categories = set()
+    for check in bulk_checks_metadata.values():
+        for cat in check.Categories:
+            available_categories.add(cat)
+    return available_categories
+
+
+def print_categories(categories: set):
+    print(
+        f"There are {Fore.YELLOW}{len(categories)}{Style.RESET_ALL} available categories: \n"
+    )
+    for category in categories:
+        print(f"- {category}")
+
+
 def print_services(service_list: set):
     print(
         f"There are {Fore.YELLOW}{len(service_list)}{Style.RESET_ALL} available services: \n"
@@ -181,40 +182,6 @@ def print_checks(
     )
 
 
-# List available groups
-def list_groups(provider: str):
-    groups = parse_groups_from_file(groups_file)
-    print("Available Groups:")
-
-    for group, value in groups[provider].items():
-        group_description = value["description"]
-        print(f"\t - {group_description} -- [{group}] ")
-
-
-# Parse groups from groups.json
-def parse_groups_from_file(group_file: str) -> Any:
-    f = open_file(group_file)
-    available_groups = parse_json_file(f)
-    return available_groups
-
-
-# Parse checks from groups to execute
-def load_checks_to_execute_from_groups(
-    available_groups: Any, group_list: list, provider: str
-) -> set:
-    checks_to_execute = set()
-
-    for group in group_list:
-        if group in available_groups[provider]:
-            for check_name in available_groups[provider][group]["checks"]:
-                checks_to_execute.add(check_name)
-        else:
-            logger.error(
-                f"Group '{group}' was not found for the {provider.upper()} provider"
-            )
-    return checks_to_execute
-
-
 # Parse checks from compliance frameworks specification
 def parse_checks_from_compliance_framework(
     compliance_frameworks: list, bulk_compliance_frameworks: dict

lib/check/check_test.py

@@ -4,45 +4,14 @@ from unittest import mock
 from lib.check.check import (
     bulk_load_compliance_frameworks,
     exclude_checks_to_run,
-    exclude_groups_to_run,
     exclude_services_to_run,
-    load_checks_to_execute_from_groups,
     parse_checks_from_compliance_framework,
     parse_checks_from_file,
-    parse_groups_from_file,
 )
 from lib.check.models import load_check_metadata
 
 
 class Test_Check:
-    def test_parse_groups_from_file(self):
-        test_cases = [
-            {
-                "input": {
-                    "path": f"{os.path.dirname(os.path.realpath(__file__))}/fixtures/groupsA.json",
-                    "provider": "aws",
-                },
-                "expected": {
-                    "aws": {
-                        "gdpr": {
-                            "description": "GDPR Readiness",
-                            "checks": ["check11", "check12"],
-                        },
-                        "iam": {
-                            "description": "Identity and Access Management",
-                            "checks": [
-                                "iam_disable_30_days_credentials",
-                                "iam_disable_90_days_credentials",
-                            ],
-                        },
-                    }
-                },
-            }
-        ]
-        for test in test_cases:
-            check_file = test["input"]["path"]
-            assert parse_groups_from_file(check_file) == test["expected"]
-
     def test_load_check_metadata(self):
         test_cases = [
             {
@@ -80,42 +49,6 @@ class Test_Check:
             provider = test["input"]["provider"]
             assert parse_checks_from_file(check_file, provider) == test["expected"]
 
-    def test_load_checks_to_execute_from_groups(self):
-        test_cases = [
-            {
-                "input": {
-                    "groups_json": {
-                        "aws": {
-                            "gdpr": {
-                                "description": "GDPR Readiness",
-                                "checks": ["check11", "check12"],
-                            },
-                            "iam": {
-                                "description": "Identity and Access Management",
-                                "checks": [
-                                    "iam_disable_30_days_credentials",
-                                    "iam_disable_90_days_credentials",
-                                ],
-                            },
-                        }
-                    },
-                    "provider": "aws",
-                    "groups": ["gdpr"],
-                },
-                "expected": {"check11", "check12"},
-            }
-        ]
-
-        for test in test_cases:
-            provider = test["input"]["provider"]
-            groups = test["input"]["groups"]
-            group_file = test["input"]["groups_json"]
-
-            assert (
-                load_checks_to_execute_from_groups(group_file, groups, provider)
-                == test["expected"]
-            )
-
     def test_exclude_checks_to_run(self):
         test_cases = [
             {
@@ -140,44 +73,6 @@ class Test_Check:
                 exclude_checks_to_run(check_list, excluded_checks) == test["expected"]
             )
 
-    def test_exclude_groups_to_run(self):
-        test_cases = [
-            {
-                "input": {
-                    "excluded_group_list": {"gdpr"},
-                    "provider": "aws",
-                    "checks_to_run": {
-                        "iam_disable_30_days_credentials",
-                        "iam_disable_90_days_credentials",
-                    },
-                },
-                "expected": {
-                    "iam_disable_30_days_credentials",
-                },
-            },
-            {
-                "input": {
-                    "excluded_group_list": {"pci"},
-                    "provider": "aws",
-                    "checks_to_run": {
-                        "iam_disable_30_days_credentials",
-                        "iam_disable_90_days_credentials",
-                    },
-                },
-                "expected": {
-                    "iam_disable_30_days_credentials",
-                },
-            },
-        ]
-        for test in test_cases:
-            excluded_group_list = test["input"]["excluded_group_list"]
-            checks_to_run = test["input"]["checks_to_run"]
-            provider = test["input"]["provider"]
-            assert (
-                exclude_groups_to_run(checks_to_run, excluded_group_list, provider)
-                == test["expected"]
-            )
-
     def test_exclude_services_to_run(self):
         test_cases = [
             {

lib/check/checks_loader.py

@@ -1,9 +1,6 @@
-from config.config import groups_file
-from lib.check.check import (  # load_checks_to_execute_from_compliance_framework,
-    load_checks_to_execute_from_groups,
+from lib.check.check import (
     parse_checks_from_compliance_framework,
     parse_checks_from_file,
-    parse_groups_from_file,
     recover_checks_from_provider,
 )
 from lib.logger import logger
@@ -17,9 +14,9 @@ def load_checks_to_execute(
     checks_file: str,
     check_list: list,
     service_list: list,
-    group_list: list,
     severities: list,
     compliance_frameworks: list,
+    categories: set,
     provider: str,
 ) -> set:
     """Generate the list of checks to execute based on the cloud provider and input arguments specified"""
@@ -60,16 +57,6 @@ def load_checks_to_execute(
                     # if service_name in group_list: checks_to_execute.add(check_name)
                     checks_to_execute.add(check_name)
 
-    # Handle if there are groups passed using -g/--groups
-    elif group_list:
-        try:
-            available_groups = parse_groups_from_file(groups_file)
-            checks_to_execute = load_checks_to_execute_from_groups(
-                available_groups, group_list, provider
-            )
-        except Exception as e:
-            logger.error(f"{e.__class__.__name__}[{e.__traceback__.tb_lineno}] -- {e}")
-
     # Handle if there are compliance frameworks passed using --compliance
     elif compliance_frameworks:
         try:
@@ -79,6 +66,14 @@ def load_checks_to_execute(
         except Exception as e:
             logger.error(f"{e.__class__.__name__}[{e.__traceback__.tb_lineno}] -- {e}")
 
+    # Handle if there are categories passed using --categories
+    elif categories:
+        for cat in categories:
+            for check in bulk_checks_metadata:
+                # Check check's categories
+                if cat in bulk_checks_metadata[check].Categories:
+                    checks_to_execute.add(check)
+
     # If there are no checks passed as argument
     else:
         try:

providers/aws/services/accessanalyzer/accessanalyzer_enabled_without_findings/accessanalyzer_enabled_without_findings.metadata.json

@@ -33,4 +33,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/apigateway/apigateway_endpoint_public/apigateway_endpoint_public.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://d1.awsstatic.com/whitepapers/api-gateway-security.pdf?svrd_sip6"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/apigateway/apigateway_logging_enabled/apigateway_logging_enabled.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/autoscaling/autoscaling_find_secrets_ec2_launch_configuration/autoscaling_find_secrets_ec2_launch_configuration.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "secrets"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"

providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.metadata.json

@@ -23,7 +23,9 @@
       "Url": "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -31,4 +33,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.metadata.json

@@ -23,7 +23,9 @@
       "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "secrets"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"

providers/aws/services/awslambda/awslambda_function_no_secrets_in_variables/awslambda_function_no_secrets_in_variables.metadata.json

@@ -23,7 +23,9 @@
       "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "secrets"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"

providers/aws/services/awslambda/awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.metadata.json

@@ -23,7 +23,9 @@
       "Url": "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -31,4 +33,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/cloudformation/cloudformation_outputs_find_secrets/cloudformation_outputs_find_secrets.metadata.json

@@ -23,7 +23,9 @@
       "Url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "secrets"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"

providers/aws/services/cloudfront/cloudfront_distributions_https_enabled/cloudfront_distributions_https_enabled.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/cloudfront/cloudfront_distributions_logging_enabled/cloudfront_distributions_logging_enabled.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Logging and Monitoring"
-}
+}

providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled.metadata.json

@@ -27,7 +27,9 @@
       "Url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -35,4 +37,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/cloudtrail/cloudtrail_kms_encryption_enabled/cloudtrail_kms_encryption_enabled.metadata.json

@@ -27,7 +27,9 @@
       "Url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -35,4 +37,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/cloudtrail/cloudtrail_log_file_validation_enabled/cloudtrail_log_file_validation_enabled.metadata.json

@@ -27,7 +27,9 @@
       "Url": "http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-filevalidation-enabling.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -35,4 +37,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.metadata.json

@@ -27,7 +27,9 @@
       "Url": "https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -35,4 +37,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.metadata.json

@@ -27,7 +27,9 @@
       "Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -35,4 +37,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled.metadata.json

@@ -27,7 +27,9 @@
       "Url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -35,4 +37,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://aws.amazon.com/blogs/mt/aws-config-best-practices/"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_ami_public/ec2_ami_public.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-finding.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://www.shodan.io/"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_instance_internet_facing_with_instance_profile/ec2_instance_internet_facing_with_instance_profile.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_instance_public_ip/ec2_instance_public_ip.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_instance_secrets_user_data/ec2_instance_secrets_user_data.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_basic.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "secrets"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"

providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.metadata.json

@@ -27,7 +27,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -35,4 +37,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Infrastructure Security"
-}
+}

providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ec2/ec2_securitygroup_in_use_without_ingress_filtering/ec2_securitygroup_in_use_without_ingress_filtering.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.metadata.json

@@ -26,7 +26,9 @@
       "Url": "https://docs.aws.amazon.com/AmazonECR/latest/public/security_iam_service-with-iam.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -34,4 +36,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.metadata.json

@@ -27,7 +27,9 @@
       "Url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "secrets"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"

providers/aws/services/eks/eks_control_plane_endpoint_access_restricted/eks_control_plane_endpoint_access_restricted.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/eks/latest/userguide/logging-monitoring.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/eks/eks_endpoints_not_publicly_accessible/eks_endpoints_not_publicly_accessible.metadata.json

@@ -27,7 +27,9 @@
       "Url": "https://docs.aws.amazon.com/eks/latest/userguide/infrastructure-security.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -35,4 +37,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/elb/elb_logging_enabled/elb_logging_enabled.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/elbv2/elbv2_internet_facing/elbv2_internet_facing.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.metadata.json

@@ -23,7 +23,9 @@
       "Url": "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -31,4 +33,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/kms/latest/developerguide/determining-access.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/macie/macie_is_enabled/macie_is_enabled.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://aws.amazon.com/macie/getting-started/"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/opensearch/opensearch_service_domains_audit_logging_enabled/opensearch_service_domains_audit_logging_enabled.metadata.json

@@ -26,7 +26,9 @@
       "Url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/audit-logs.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -34,4 +36,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/opensearch/opensearch_service_domains_cloudwatch_logging_enabled/opensearch_service_domains_cloudwatch_logging_enabled.metadata.json

@@ -26,7 +26,9 @@
       "Url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createdomain-configure-slow-logs.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -34,4 +36,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/opensearch/opensearch_service_domains_not_publicly_accessible/opensearch_service_domains_not_publicly_accessible.metadata.json

@@ -26,7 +26,9 @@
       "Url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -34,4 +36,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access.metadata.json

@@ -23,7 +23,9 @@
       "Url": "https://docs.amazonaws.cn/en_us/config/latest/developerguide/rds-instance-public-access-check.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -31,4 +33,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/rds/rds_snapshots_public_access/rds_snapshots_public_access.metadata.json

@@ -23,7 +23,9 @@
       "Url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -31,4 +33,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/redshift/redshift_cluster_audit_logging/redshift_cluster_audit_logging.metadata.json

@@ -23,7 +23,9 @@
       "Url": "https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -31,4 +33,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/route53/route53_public_hosted_zones_cloudwatch_logging_enabled/route53_public_hosted_zones_cloudwatch_logging_enabled.metadata.json

@@ -23,7 +23,9 @@
       "Url": "https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/monitoring-hosted-zones-with-cloudwatch.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -31,4 +33,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/s3/s3_bucket_policy_public_write_access/s3_bucket_policy_public_write_access.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/s3/s3_bucket_server_access_logging_enabled/s3_bucket_server_access_logging_enabled.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/sagemaker/sagemaker_notebook_instance_without_direct_internet_access_configured/sagemaker_notebook_instance_without_direct_internet_access_configured.metadata.json

@@ -23,7 +23,9 @@
       "Url": "https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -31,4 +33,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible.metadata.json

@@ -23,7 +23,9 @@
       "Url": "https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -31,4 +33,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible.metadata.json

@@ -23,7 +23,9 @@
       "Url": "https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -31,4 +33,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets.metadata.json

@@ -23,7 +23,9 @@
       "Url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "secrets"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"

providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "trustboundaries"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/vpc/vpc_endpoint_services_allowed_principals_trust_boundaries/vpc_endpoint_services_allowed_principals_trust_boundaries.metadata.json

@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "trustboundaries"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.metadata.json

@@ -25,7 +25,9 @@
       "Url": "http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
   "Tags": {
     "Tag1Key": "value",
     "Tag2Key": "value"
@@ -33,4 +35,4 @@
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
-}
+}

prowler

@@ -16,11 +16,11 @@ from lib.check.check import (
     bulk_load_checks_metadata,
     bulk_load_compliance_frameworks,
     exclude_checks_to_run,
-    exclude_groups_to_run,
     exclude_services_to_run,
     execute_checks,
-    list_groups,
+    list_categories,
     list_services,
+    print_categories,
     print_checks,
     print_compliance_frameworks,
     print_compliance_requirements,
@@ -60,7 +60,6 @@ if __name__ == "__main__":
     group.add_argument("-c", "--checks", nargs="+", help="List of checks")
     group.add_argument("-C", "--checks-file", nargs="?", help="List of checks")
     group.add_argument("-s", "--services", nargs="+", help="List of services")
-    group.add_argument("-g", "--groups", nargs="+", help="List of groups")
     group.add_argument(
         "--severity",
         nargs="+",
@@ -73,9 +72,10 @@ if __name__ == "__main__":
         help="Compliance Framework to check against for. The format should be the following: framework_version_provider (e.g.: ens_rd2022_aws)",
         choices=["ens_rd2022_aws"],
     )
+    group.add_argument("--categories", nargs="+", help="List of categories", default=[])
+
     # Exclude checks options
     parser.add_argument("-e", "--excluded-checks", nargs="+", help="Checks to exclude")
-    parser.add_argument("-E", "--excluded-groups", nargs="+", help="Groups to exclude")
     parser.add_argument("--excluded-services", nargs="+", help="Services to exclude")
     # List checks options
     list_group = parser.add_mutually_exclusive_group()
@@ -97,6 +97,12 @@ if __name__ == "__main__":
         help="List compliance requirements for a given requirement",
         choices=["ens_rd2022_aws"],
     )
+    list_group.add_argument(
+        "--list-categories",
+        action="store_true",
+        help="List the available check's categories",
+    )
+
     parser.add_argument(
         "-b", "--no-banner", action="store_false", help="Hide Prowler banner"
     )
@@ -229,10 +235,9 @@ if __name__ == "__main__":
     provider = args.provider
     checks = args.checks
     excluded_checks = args.excluded_checks
-    excluded_groups = args.excluded_groups
     excluded_services = args.excluded_services
     services = args.services
-    groups = args.groups
+    categories = args.categories
     checks_file = args.checks_file
     output_directory = args.output_directory
     output_filename = args.output_filename
@@ -262,10 +267,6 @@ if __name__ == "__main__":
     if args.no_banner:
         print_banner(args)
 
-    if args.list_groups:
-        list_groups(provider)
-        sys.exit()
-
     if args.list_services:
         print_services(list_services(provider))
         sys.exit()
@@ -276,6 +277,11 @@ if __name__ == "__main__":
     # Load checks metadata
     logger.debug("Loading checks metadata from .metadata.json files")
     bulk_checks_metadata = bulk_load_checks_metadata(provider)
+
+    if args.list_categories:
+        print_categories(list_categories(provider, bulk_checks_metadata))
+        sys.exit()
+
     bulk_compliance_frameworks = {}
     # Load compliance frameworks
     logger.debug("Loading compliance frameworks from .json files")
@@ -308,9 +314,9 @@ if __name__ == "__main__":
         checks_file,
         checks,
         services,
-        groups,
         severities,
         compliance_framework,
+        categories,
         provider,
     )
 
@@ -318,12 +324,6 @@ if __name__ == "__main__":
     if excluded_checks:
         checks_to_execute = exclude_checks_to_run(checks_to_execute, excluded_checks)
 
-    # Exclude groups if -g/--excluded-groups
-    if excluded_groups:
-        checks_to_execute = exclude_groups_to_run(
-            checks_to_execute, excluded_groups, provider
-        )
-
     # Exclude services if -s/--excluded-services
     if excluded_services:
         checks_to_execute = exclude_services_to_run(