feat(compliance): Loader and Execute (#1465)

providers/aws/services/accessanalyzer/accessanalyzer_enabled_without_findings/accessanalyzer_enabled_without_findings.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "accessanalyzer_enabled_without_findings",
   "CheckTitle": "Check if IAM Access Analyzer is enabled without findings",
-  "CheckType": ["IAM"],
+  "CheckType": [
+    "IAM"
+  ],
   "ServiceName": "accessanalyzer",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:access-analyzer:region:account-id:analyzer/resource-id",
@@ -30,13 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": [
-    {
-      "Framework": "CIS-AWS",
-      "Version": "1.4",
-      "Control": [ "1.20" ],
-      "Group": [ "level1" ]
-    }
-  ]
+  "Notes": ""
 }

providers/aws/services/accessanalyzer/accessanalyzer_enabled_without_findings/accessanalyzer_enabled_without_findings.py

@@ -8,7 +8,7 @@ class accessanalyzer_enabled_without_findings(Check):
     def execute(self):
         findings = []
         for analyzer in accessanalyzer_client.analyzers:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = analyzer.region
             if analyzer.status == "ACTIVE":
                 if analyzer.findings_count > 0:

providers/aws/services/account/account_maintain_current_contact_details/account_maintain_current_contact_details.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "account_maintain_current_contact_details",
   "CheckTitle": "Maintain current contact details.",
-  "CheckType": ["IAM"],
+  "CheckType": [
+    "IAM"
+  ],
   "ServiceName": "account",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:access-recorder:region:account-id:recorder/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/account/account_maintain_current_contact_details/account_maintain_current_contact_details.py

@@ -6,7 +6,7 @@ from providers.aws.services.account.account_client import account_client
 
 class account_maintain_current_contact_details(Check):
     def execute(self):
-        report = Check_Report(self.metadata)
+        report = Check_Report(self.metadata())
         report.region = account_client.region
         report.resource_id = account_client.audited_account
         report.status = "INFO"

providers/aws/services/account/account_security_contact_information_is_registered/account_security_contact_information_is_registered.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "account_security_contact_information_is_registered",
   "CheckTitle": "Ensure security contact information is registered.",
-  "CheckType": ["IAM"],
+  "CheckType": [
+    "IAM"
+  ],
   "ServiceName": "account",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:access-recorder:region:account-id:recorder/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/account/account_security_contact_information_is_registered/account_security_contact_information_is_registered.py

@@ -6,7 +6,7 @@ from providers.aws.services.account.account_client import account_client
 
 class account_security_contact_information_is_registered(Check):
     def execute(self):
-        report = Check_Report(self.metadata)
+        report = Check_Report(self.metadata())
         report.region = account_client.region
         report.resource_id = account_client.audited_account
         report.status = "INFO"

providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account/account_security_questions_are_registered_in_the_aws_account.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "account_security_questions_are_registered_in_the_aws_account",
   "CheckTitle": "Ensure security questions are registered in the AWS account.",
-  "CheckType": ["IAM"],
+  "CheckType": [
+    "IAM"
+  ],
   "ServiceName": "account",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:access-recorder:region:account-id:recorder/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account/account_security_questions_are_registered_in_the_aws_account.py

@@ -6,7 +6,7 @@ from providers.aws.services.account.account_client import account_client
 
 class account_security_questions_are_registered_in_the_aws_account(Check):
     def execute(self):
-        report = Check_Report(self.metadata)
+        report = Check_Report(self.metadata())
         report.region = account_client.region
         report.resource_id = account_client.audited_account
         report.status = "INFO"

providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "acm_certificates_expiration_check",
   "CheckTitle": "Check if ACM Certificates are about to expire in specific days or less",
-  "CheckType": ["Data Protection"],
+  "CheckType": [
+    "Data Protection"
+  ],
   "ServiceName": "acm",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:acm:region:account-id:certificate/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py

@@ -8,7 +8,7 @@ class acm_certificates_expiration_check(Check):
     def execute(self):
         findings = []
         for certificate in acm_client.certificates:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = certificate.region
             if certificate.expiration_days > DAYS_TO_EXPIRE_THRESHOLD:
                 report.status = "PASS"

providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "acm_certificates_transparency_logs_enabled",
   "CheckTitle": "Check if ACM certificates have Certificate Transparency logging enabled",
-  "CheckType": ["Logging and Monitoring"],
+  "CheckType": [
+    "Logging and Monitoring"
+  ],
   "ServiceName": "acm",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:acm:region:account-id:certificate/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.py

@@ -6,7 +6,7 @@ class acm_certificates_transparency_logs_enabled(Check):
     def execute(self):
         findings = []
         for certificate in acm_client.certificates:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = certificate.region
             if certificate.type == "IMPORTED":
                 report.status = "PASS"

providers/aws/services/apigateway/apigateway_authorizers_enabled/apigateway_authorizers_enabled.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "apigateway_authorizers_enabled",
   "CheckTitle": "Check if API Gateway has configured authorizers.",
-  "CheckType": ["IAM"],
+  "CheckType": [
+    "IAM"
+  ],
   "ServiceName": "apigateway",
   "SubServiceName": "rest_api",
   "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/apigateway/apigateway_authorizers_enabled/apigateway_authorizers_enabled.py

@@ -6,7 +6,7 @@ class apigateway_authorizers_enabled(Check):
     def execute(self):
         findings = []
         for rest_api in apigateway_client.rest_apis:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = rest_api.region
             if rest_api.authorizer:
                 report.status = "PASS"

providers/aws/services/apigateway/apigateway_client_certificate_enabled/apigateway_client_certificate_enabled.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "apigateway_client_certificate_enabled",
   "CheckTitle": "Check if API Gateway has client certificate enabled to access your backend endpoint.",
-  "CheckType": ["Data Protection"],
+  "CheckType": [
+    "Data Protection"
+  ],
   "ServiceName": "apigateway",
   "SubServiceName": "rest_api",
   "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/apigateway/apigateway_client_certificate_enabled/apigateway_client_certificate_enabled.py

@@ -7,7 +7,7 @@ class apigateway_client_certificate_enabled(Check):
         findings = []
         for rest_api in apigateway_client.rest_apis:
             for stage in rest_api.stages:
-                report = Check_Report(self.metadata)
+                report = Check_Report(self.metadata())
                 if stage.client_certificate:
                     report.status = "PASS"
                     report.status_extended = f"API Gateway {rest_api.name} ID {rest_api.id} in stage {stage.name} has client certificate enabled."

providers/aws/services/apigateway/apigateway_endpoint_public/apigateway_endpoint_public.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "apigateway_endpoint_public",
   "CheckTitle": "Check if API Gateway endpoint is public or private.",
-  "CheckType": ["Infrastructure Security"],
+  "CheckType": [
+    "Infrastructure Security"
+  ],
   "ServiceName": "apigateway",
   "SubServiceName": "rest_api",
   "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/apigateway/apigateway_endpoint_public/apigateway_endpoint_public.py

@@ -6,7 +6,7 @@ class apigateway_endpoint_public(Check):
     def execute(self):
         findings = []
         for rest_api in apigateway_client.rest_apis:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = rest_api.region
             if rest_api.public_endpoint:
                 report.status = "FAIL"

providers/aws/services/apigateway/apigateway_logging_enabled/apigateway_logging_enabled.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "apigateway_logging_enabled",
   "CheckTitle": "Check if API Gateway has logging enabled.",
-  "CheckType": ["Logging and Monitoring"],
+  "CheckType": [
+    "Logging and Monitoring"
+  ],
   "ServiceName": "apigateway",
   "SubServiceName": "rest_api",
   "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/apigateway/apigateway_logging_enabled/apigateway_logging_enabled.py

@@ -6,7 +6,7 @@ class apigateway_logging_enabled(Check):
     def execute(self):
         findings = []
         for rest_api in apigateway_client.rest_apis:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = rest_api.region
             for stage in rest_api.stages:
                 if stage.logging:

providers/aws/services/apigateway/apigateway_waf_acl_attached/apigateway_waf_acl_attached.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "apigateway_waf_acl_attached",
   "CheckTitle": "Check if API Gateway has a WAF ACL attached.",
-  "CheckType": ["Infrastructure Security"],
+  "CheckType": [
+    "Infrastructure Security"
+  ],
   "ServiceName": "apigateway",
   "SubServiceName": "rest_api",
   "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/apigateway/apigateway_waf_acl_attached/apigateway_waf_acl_attached.py

@@ -6,7 +6,7 @@ class apigateway_waf_acl_attached(Check):
     def execute(self):
         findings = []
         for rest_api in apigateway_client.rest_apis:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = rest_api.region
             for stage in rest_api.stages:
                 if stage.waf:

providers/aws/services/apigatewayv2/apigatewayv2_access_logging_enabled/apigatewayv2_access_logging_enabled.metadata.json

@@ -1,8 +1,10 @@
 {
   "Provider": "aws",
-  "CheckID": "apigatewayv2_authorizers_enabled",
+  "CheckID": "apigatewayv2_access_logging_enabled",
   "CheckTitle": "Check if API Gateway V2 has configured authorizers.",
-  "CheckType": ["IAM"],
+  "CheckType": [
+    "IAM"
+  ],
   "ServiceName": "apigateway",
   "SubServiceName": "rest_api",
   "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/apigatewayv2/apigatewayv2_access_logging_enabled/apigatewayv2_access_logging_enabled.py

@@ -6,7 +6,7 @@ class apigatewayv2_access_logging_enabled(Check):
     def execute(self):
         findings = []
         for api in apigatewayv2_client.apis:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = api.region
             for stage in api.stages:
                 if stage.logging:

providers/aws/services/apigatewayv2/apigatewayv2_authorizers_enabled/apigatewayv2_authorizers_enabled.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "apigatewayv2_authorizers_enabled",
   "CheckTitle": "Checks if API Gateway V2 has Access Logging enabled.",
-  "CheckType": ["Logging and Monitoring"],
+  "CheckType": [
+    "Logging and Monitoring"
+  ],
   "ServiceName": "apigateway",
   "SubServiceName": "api",
   "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/apigatewayv2/apigatewayv2_authorizers_enabled/apigatewayv2_authorizers_enabled.py

@@ -6,7 +6,7 @@ class apigatewayv2_authorizers_enabled(Check):
     def execute(self):
         findings = []
         for api in apigatewayv2_client.apis:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = api.region
             if api.authorizer:
                 report.status = "PASS"

providers/aws/services/appstream/appstream_fleet_default_internet_access_disabled/appstream_fleet_default_internet_access_disabled.metadata.json

@@ -1,36 +1,38 @@
 {
-    "Provider": "aws",
-    "CheckID": "appstream_fleet_default_internet_access_disabled",
-    "CheckTitle": "Ensure default Internet Access from your Amazon AppStream fleet streaming instances should remain unchecked.",
-    "CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards", "CIS AWS Foundations Benchmark"],
-    "ServiceName": "appstream",
-    "SubServiceName": "",
-    "ResourceIdTemplate": "arn:partition:appstream:region:account-id:fleet/resource-id",
-    "Severity": "medium",
-    "ResourceType": "AppStream",
-    "Description": "Ensure default Internet Access from your Amazon AppStream fleet streaming instances should remain unchecked.",
-    "Risk": "Default Internet Access from your fleet streaming instances should be controlled using a NAT gateway in the VPC.",
-    "RelatedUrl": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html",
-    "Remediation": {
-      "Code": {
-        "CLI": "",
-        "NativeIaC": "",
-        "Other": "",
-        "Terraform": ""
-      },
-      "Recommendation": {
-        "Text": "Uncheck the default internet access for the AppStream Fleet.",
-        "Url": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html"
-      }
+  "Provider": "aws",
+  "CheckID": "appstream_fleet_default_internet_access_disabled",
+  "CheckTitle": "Ensure default Internet Access from your Amazon AppStream fleet streaming instances should remain unchecked.",
+  "CheckType": [
+    "Software and Configuration Checks",
+    "Industry and Regulatory Standards",
+    "CIS AWS Foundations Benchmark"
+  ],
+  "ServiceName": "appstream",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:appstream:region:account-id:fleet/resource-id",
+  "Severity": "medium",
+  "ResourceType": "AppStream",
+  "Description": "Ensure default Internet Access from your Amazon AppStream fleet streaming instances should remain unchecked.",
+  "Risk": "Default Internet Access from your fleet streaming instances should be controlled using a NAT gateway in the VPC.",
+  "RelatedUrl": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
     },
-    "Categories": [],
-    "Tags": {
-      "Tag1Key": "value",
-      "Tag2Key": "value"
-    },
-    "DependsOn": [],
-    "RelatedTo": [],
-    "Notes": "Infrastructure Security",
-    "Compliance": []
-  }
-
+    "Recommendation": {
+      "Text": "Uncheck the default internet access for the AppStream Fleet.",
+      "Url": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Infrastructure Security"
+}

providers/aws/services/appstream/appstream_fleet_default_internet_access_disabled/appstream_fleet_default_internet_access_disabled.py

@@ -10,7 +10,7 @@ class appstream_fleet_default_internet_access_disabled(Check):
         """Execute the appstream_fleet_default_internet_access_disabled check"""
         findings = []
         for fleet in appstream_client.fleets:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = fleet.region
             report.resource_id = fleet.name
             report.resource_arn = fleet.arn

providers/aws/services/appstream/appstream_fleet_maximum_session_duration/appstream_fleet_maximum_session_duration.metadata.json

@@ -1,36 +1,36 @@
 {
-    "Provider": "aws",
-    "CheckID": "appstream_fleet_maximum_session_duration",
-    "CheckTitle": "Ensure user maximum session duration is no longer than 10 hours.",
-    "CheckType": ["Infrastructure Security"],
-    "ServiceName": "appstream",
-    "SubServiceName": "",
-    "ResourceIdTemplate": "arn:partition:appstream:region:account-id:fleet/resource-id",
-    "Severity": "medium",
-    "ResourceType": "AppStream",
-    "Description": "Ensure user maximum session duration is no longer than 10 hours.",
-    "Risk": "Having a session duration lasting longer than 10 hours should not be necessary and if running for any malicious reasons provides a greater time for usage than should be allowed.",
-    "RelatedUrl": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html",
-    "Remediation": {
-      "Code": {
-        "CLI": "",
-        "NativeIaC": "",
-        "Other": "",
-        "Terraform": ""
-      },
-      "Recommendation": {
-        "Text": "Change the Maximum session duration is set to 600 minutes or less for the AppStream Fleet.",
-        "Url": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html"
-      }
+  "Provider": "aws",
+  "CheckID": "appstream_fleet_maximum_session_duration",
+  "CheckTitle": "Ensure user maximum session duration is no longer than 10 hours.",
+  "CheckType": [
+    "Infrastructure Security"
+  ],
+  "ServiceName": "appstream",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:appstream:region:account-id:fleet/resource-id",
+  "Severity": "medium",
+  "ResourceType": "AppStream",
+  "Description": "Ensure user maximum session duration is no longer than 10 hours.",
+  "Risk": "Having a session duration lasting longer than 10 hours should not be necessary and if running for any malicious reasons provides a greater time for usage than should be allowed.",
+  "RelatedUrl": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
     },
-    "Categories": [],
-    "Tags": {
-      "Tag1Key": "value",
-      "Tag2Key": "value"
-    },
-    "DependsOn": [],
-    "RelatedTo": [],
-    "Notes": "Infrastructure Security",
-    "Compliance": []
-  }
-
+    "Recommendation": {
+      "Text": "Change the Maximum session duration is set to 600 minutes or less for the AppStream Fleet.",
+      "Url": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Infrastructure Security"
+}

providers/aws/services/appstream/appstream_fleet_maximum_session_duration/appstream_fleet_maximum_session_duration.py

@@ -13,7 +13,7 @@ class appstream_fleet_maximum_session_duration(Check):
         """Execute the appstream_fleet_maximum_session_duration check"""
         findings = []
         for fleet in appstream_client.fleets:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = fleet.region
             report.resource_id = fleet.name
             report.resource_arn = fleet.arn

providers/aws/services/appstream/appstream_fleet_session_disconnect_timeout/appstream_fleet_session_disconnect_timeout.metadata.json

@@ -1,36 +1,38 @@
 {
-    "Provider": "aws",
-    "CheckID": "appstream_fleet_session_disconnect_timeout",
-    "CheckTitle": "Ensure session disconnect timeout is set to 5 minutes or lesss.",
-    "CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards", "CIS AWS Foundations Benchmark"],
-    "ServiceName": "appstream",
-    "SubServiceName": "",
-    "ResourceIdTemplate": "arn:partition:appstream:region:account-id:fleet/resource-id",
-    "Severity": "medium",
-    "ResourceType": "AppStream",
-    "Description": "Ensure session disconnect timeout is set to 5 minutes or less",
-    "Risk": "Disconnect timeout in minutes, is the amount of of time that a streaming session remains active after users disconnect.",
-    "RelatedUrl": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html",
-    "Remediation": {
-      "Code": {
-        "CLI": "",
-        "NativeIaC": "",
-        "Other": "",
-        "Terraform": ""
-      },
-      "Recommendation": {
-        "Text": "Change the Disconnect timeout to 5 minutes or less for the AppStream Fleet.",
-        "Url": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html"
-      }
+  "Provider": "aws",
+  "CheckID": "appstream_fleet_session_disconnect_timeout",
+  "CheckTitle": "Ensure session disconnect timeout is set to 5 minutes or lesss.",
+  "CheckType": [
+    "Software and Configuration Checks",
+    "Industry and Regulatory Standards",
+    "CIS AWS Foundations Benchmark"
+  ],
+  "ServiceName": "appstream",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:appstream:region:account-id:fleet/resource-id",
+  "Severity": "medium",
+  "ResourceType": "AppStream",
+  "Description": "Ensure session disconnect timeout is set to 5 minutes or less",
+  "Risk": "Disconnect timeout in minutes, is the amount of of time that a streaming session remains active after users disconnect.",
+  "RelatedUrl": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
     },
-    "Categories": [],
-    "Tags": {
-      "Tag1Key": "value",
-      "Tag2Key": "value"
-    },
-    "DependsOn": [],
-    "RelatedTo": [],
-    "Notes": "Infrastructure Security",
-    "Compliance": []
-  }
-
+    "Recommendation": {
+      "Text": "Change the Disconnect timeout to 5 minutes or less for the AppStream Fleet.",
+      "Url": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Infrastructure Security"
+}

providers/aws/services/appstream/appstream_fleet_session_disconnect_timeout/appstream_fleet_session_disconnect_timeout.py

@@ -13,7 +13,7 @@ class appstream_fleet_session_disconnect_timeout(Check):
         """Execute the appstream_fleet_maximum_session_duration check"""
         findings = []
         for fleet in appstream_client.fleets:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = fleet.region
             report.resource_id = fleet.name
             report.resource_arn = fleet.arn

providers/aws/services/appstream/appstream_fleet_session_idle_disconnect_timeout/appstream_fleet_session_idle_disconnect_timeout.metadata.json

@@ -1,36 +1,38 @@
 {
-    "Provider": "aws",
-    "CheckID": "appstream_fleet_session_disconnect_timeout",
-    "CheckTitle": "Ensure session idle disconnect timeout is set to 10 minutes or less.",
-    "CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards", "CIS AWS Foundations Benchmark"],
-    "ServiceName": "appstream",
-    "SubServiceName": "",
-    "ResourceIdTemplate": "arn:partition:appstream:region:account-id:fleet/resource-id",
-    "Severity": "medium",
-    "ResourceType": "AppStream",
-    "Description": "Ensure session idle disconnect timeout is set to 10 minutes or less.",
-    "Risk": "Idle disconnect timeout in minutes is the amount of time that users can be inactive before they are disconnected from their streaming session and the Disconnect timeout in minutes time begins.",
-    "RelatedUrl": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html",
-    "Remediation": {
-      "Code": {
-        "CLI": "",
-        "NativeIaC": "",
-        "Other": "",
-        "Terraform": ""
-      },
-      "Recommendation": {
-        "Text": "Change the session idle timeout to 10 minutes or less for the AppStream Fleet.",
-        "Url": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html"
-      }
+  "Provider": "aws",
+  "CheckID": "appstream_fleet_session_idle_disconnect_timeout",
+  "CheckTitle": "Ensure session idle disconnect timeout is set to 10 minutes or less.",
+  "CheckType": [
+    "Software and Configuration Checks",
+    "Industry and Regulatory Standards",
+    "CIS AWS Foundations Benchmark"
+  ],
+  "ServiceName": "appstream",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:appstream:region:account-id:fleet/resource-id",
+  "Severity": "medium",
+  "ResourceType": "AppStream",
+  "Description": "Ensure session idle disconnect timeout is set to 10 minutes or less.",
+  "Risk": "Idle disconnect timeout in minutes is the amount of time that users can be inactive before they are disconnected from their streaming session and the Disconnect timeout in minutes time begins.",
+  "RelatedUrl": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
     },
-    "Categories": [],
-    "Tags": {
-      "Tag1Key": "value",
-      "Tag2Key": "value"
-    },
-    "DependsOn": [],
-    "RelatedTo": [],
-    "Notes": "Infrastructure Security",
-    "Compliance": []
-  }
-
+    "Recommendation": {
+      "Text": "Change the session idle timeout to 10 minutes or less for the AppStream Fleet.",
+      "Url": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Infrastructure Security"
+}

providers/aws/services/appstream/appstream_fleet_session_idle_disconnect_timeout/appstream_fleet_session_idle_disconnect_timeout.py

@@ -15,7 +15,7 @@ class appstream_fleet_session_idle_disconnect_timeout(Check):
         """Execute the appstream_fleet_session_idle_disconnect_timeout check"""
         findings = []
         for fleet in appstream_client.fleets:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = fleet.region
             report.resource_id = fleet.name
             report.resource_arn = fleet.arn

providers/aws/services/autoscaling/autoscaling_find_secrets_ec2_launch_configuration/autoscaling_find_secrets_ec2_launch_configuration.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "autoscaling_find_secrets_ec2_launch_configuration",
   "CheckTitle": "Find secrets in EC2 Auto Scaling Launch Configuration",
-  "CheckType": ["IAM"],
+  "CheckType": [
+    "IAM"
+  ],
   "ServiceName": "autoscaling",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:access-analyzer:region:account-id:analyzer/resource-id",
@@ -30,7 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": [
-  ]
+  "Notes": ""
 }

providers/aws/services/autoscaling/autoscaling_find_secrets_ec2_launch_configuration/autoscaling_find_secrets_ec2_launch_configuration.py

@@ -13,7 +13,7 @@ class autoscaling_find_secrets_ec2_launch_configuration(Check):
     def execute(self):
         findings = []
         for configuration in autoscaling_client.launch_configurations:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = configuration.region
             report.resource_id = configuration.name
             report.resource_arn = configuration.arn

providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.metadata.json

@@ -30,6 +30,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
-}
+  "Notes": ""
+}

providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py

@@ -7,7 +7,7 @@ class awslambda_function_invoke_api_operations_cloudtrail_logging_enabled(Check)
     def execute(self):
         findings = []
         for function in awslambda_client.functions.values():
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = function.region
             report.resource_id = function.name
             report.resource_arn = function.arn

providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.metadata.json

@@ -30,6 +30,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
-}
+  "Notes": ""
+}

providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.py

@@ -10,7 +10,7 @@ class awslambda_function_no_secrets_in_code(Check):
     def execute(self):
         findings = []
         for function in awslambda_client.functions.values():
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = function.region
             report.resource_id = function.name
             report.resource_arn = function.arn

providers/aws/services/awslambda/awslambda_function_no_secrets_in_variables/awslambda_function_no_secrets_in_variables.metadata.json

@@ -30,6 +30,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
-}
+  "Notes": ""
+}

providers/aws/services/awslambda/awslambda_function_no_secrets_in_variables/awslambda_function_no_secrets_in_variables.py

@@ -11,7 +11,7 @@ class awslambda_function_no_secrets_in_variables(Check):
     def execute(self):
         findings = []
         for function in awslambda_client.functions.values():
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = function.region
             report.resource_id = function.name
             report.resource_arn = function.arn

providers/aws/services/awslambda/awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.metadata.json

@@ -30,6 +30,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
-}
+  "Notes": ""
+}

providers/aws/services/awslambda/awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.py

@@ -6,7 +6,7 @@ class awslambda_function_not_publicly_accessible(Check):
     def execute(self):
         findings = []
         for function in awslambda_client.functions.values():
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = function.region
             report.resource_id = function.name
             report.resource_arn = function.arn

providers/aws/services/awslambda/awslambda_function_url_cors_policy/awslambda_function_url_cors_policy.metadata.json

@@ -30,6 +30,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
-}
+  "Notes": ""
+}

providers/aws/services/awslambda/awslambda_function_url_cors_policy/awslambda_function_url_cors_policy.py

@@ -6,7 +6,7 @@ class awslambda_function_url_cors_policy(Check):
     def execute(self):
         findings = []
         for function in awslambda_client.functions.values():
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = function.region
             report.resource_id = function.name
             report.resource_arn = function.arn

providers/aws/services/awslambda/awslambda_function_url_public/awslambda_function_url_public.metadata.json

@@ -30,6 +30,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
-}
+  "Notes": ""
+}

providers/aws/services/awslambda/awslambda_function_url_public/awslambda_function_url_public.py

@@ -8,7 +8,7 @@ class awslambda_function_url_public(Check):
     def execute(self):
         findings = []
         for function in awslambda_client.functions.values():
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = function.region
             report.resource_id = function.name
             report.resource_arn = function.arn

providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.metadata.json

@@ -30,6 +30,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
-}
+  "Notes": ""
+}

providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.py

@@ -7,7 +7,7 @@ class awslambda_function_using_supported_runtimes(Check):
     def execute(self):
         findings = []
         for function in awslambda_client.functions.values():
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = function.region
             report.resource_id = function.name
             report.resource_arn = function.arn

providers/aws/services/cloudformation/cloudformation_outputs_find_secrets/cloudformation_outputs_find_secrets.metadata.json

@@ -30,6 +30,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "Infrastructure Protection",
-  "Compliance": []
+  "Notes": "Infrastructure Protection"
 }

providers/aws/services/cloudformation/cloudformation_outputs_find_secrets/cloudformation_outputs_find_secrets.py

@@ -17,7 +17,7 @@ class cloudformation_outputs_find_secrets(Check):
         """Execute the cloudformation_outputs_find_secrets check"""
         findings = []
         for stack in cloudformation_client.stacks:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = stack.region
             report.resource_id = stack.name
             report.resource_arn = stack.arn

providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled.metadata.json

@@ -30,6 +30,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "Infrastructure Protection",
-  "Compliance": []
+  "Notes": "Infrastructure Protection"
 }

providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled.py

@@ -12,7 +12,7 @@ class cloudformation_stacks_termination_protection_enabled(Check):
         findings = []
         for stack in cloudformation_client.stacks:
             if not stack.is_nested_stack:
-                report = Check_Report(self.metadata)
+                report = Check_Report(self.metadata())
                 report.region = stack.region
                 report.resource_id = stack.name
                 report.resource_arn = stack.arn

providers/aws/services/cloudfront/cloudfront_distributions_field_level_encryption_enabled/cloudfront_distributions_field_level_encryption_enabled.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "cloudfront_distributions_field_level_encryption_enabled",
   "CheckTitle": "Check if CloudFront distributions have Field Level Encryption enabled.",
-  "CheckType": [""],
+  "CheckType": [
+    ""
+  ],
   "ServiceName": "cloudfront",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:cloudfront:region:account-id:distribution/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "Data Protection",
-  "Compliance": []
+  "Notes": "Data Protection"
 }

providers/aws/services/cloudfront/cloudfront_distributions_field_level_encryption_enabled/cloudfront_distributions_field_level_encryption_enabled.py

@@ -6,7 +6,7 @@ class cloudfront_distributions_field_level_encryption_enabled(Check):
     def execute(self):
         findings = []
         for distribution in cloudfront_client.distributions.values():
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = distribution.region
             report.resource_arn = distribution.arn
             report.resource_id = distribution.id

providers/aws/services/cloudfront/cloudfront_distributions_geo_restrictions_enabled/cloudfront_distributions_geo_restrictions_enabled.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "cloudfront_distributions_geo_restrictions_enabled",
   "CheckTitle": "Check if Geo restrictions are enabled in CloudFront distributions.",
-  "CheckType": [""],
+  "CheckType": [
+    ""
+  ],
   "ServiceName": "cloudfront",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:cloudfront:region:account-id:distribution/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "Infrastructure Security",
-  "Compliance": []
+  "Notes": "Infrastructure Security"
 }

providers/aws/services/cloudfront/cloudfront_distributions_geo_restrictions_enabled/cloudfront_distributions_geo_restrictions_enabled.py

@@ -7,7 +7,7 @@ class cloudfront_distributions_geo_restrictions_enabled(Check):
     def execute(self):
         findings = []
         for distribution in cloudfront_client.distributions.values():
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = distribution.region
             report.resource_arn = distribution.arn
             report.resource_id = distribution.id

providers/aws/services/cloudfront/cloudfront_distributions_https_enabled/cloudfront_distributions_https_enabled.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "cloudfront_distributions_https_enabled",
   "CheckTitle": "Check if CloudFront distributions are set to HTTPS.",
-  "CheckType": [""],
+  "CheckType": [
+    ""
+  ],
   "ServiceName": "cloudfront",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:cloudfront:region:account-id:distribution/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/cloudfront/cloudfront_distributions_https_enabled/cloudfront_distributions_https_enabled.py

@@ -7,7 +7,7 @@ class cloudfront_distributions_https_enabled(Check):
     def execute(self):
         findings = []
         for distribution in cloudfront_client.distributions.values():
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = distribution.region
             report.resource_arn = distribution.arn
             report.resource_id = distribution.id

providers/aws/services/cloudfront/cloudfront_distributions_logging_enabled/cloudfront_distributions_logging_enabled.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "cloudfront_distributions_logging_enabled",
   "CheckTitle": "Check if CloudFront distributions have logging enabled.",
-  "CheckType": [""],
+  "CheckType": [
+    ""
+  ],
   "ServiceName": "cloudfront",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:cloudfront:region:account-id:distribution/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "Logging and Monitoring",
-  "Compliance": []
+  "Notes": "Logging and Monitoring"
 }

providers/aws/services/cloudfront/cloudfront_distributions_logging_enabled/cloudfront_distributions_logging_enabled.py

@@ -6,7 +6,7 @@ class cloudfront_distributions_logging_enabled(Check):
     def execute(self):
         findings = []
         for distribution in cloudfront_client.distributions.values():
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = distribution.region
             report.resource_arn = distribution.arn
             report.resource_id = distribution.id

providers/aws/services/cloudfront/cloudfront_distributions_using_deprecated_ssl_protocols/cloudfront_distributions_using_deprecated_ssl_protocols.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "cloudfront_distributions_using_deprecated_ssl_protocols",
   "CheckTitle": "Check if CloudFront distributions are using deprecated SSL protocols.",
-  "CheckType": [""],
+  "CheckType": [
+    ""
+  ],
   "ServiceName": "cloudfront",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:cloudfront:region:account-id:distribution/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/cloudfront/cloudfront_distributions_using_deprecated_ssl_protocols/cloudfront_distributions_using_deprecated_ssl_protocols.py

@@ -7,7 +7,7 @@ class cloudfront_distributions_using_deprecated_ssl_protocols(Check):
     def execute(self):
         findings = []
         for distribution in cloudfront_client.distributions.values():
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = distribution.region
             report.resource_arn = distribution.arn
             report.resource_id = distribution.id

providers/aws/services/cloudfront/cloudfront_distributions_using_waf/cloudfront_distributions_using_waf.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "cloudfront_distributions_using_waf",
   "CheckTitle": "Check if CloudFront distributions are using WAF.",
-  "CheckType": ["IAM"],
+  "CheckType": [
+    "IAM"
+  ],
   "ServiceName": "cloudfront",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:cloudfront:region:account-id:distribution/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/cloudfront/cloudfront_distributions_using_waf/cloudfront_distributions_using_waf.py

@@ -6,7 +6,7 @@ class cloudfront_distributions_using_waf(Check):
     def execute(self):
         findings = []
         for distribution in cloudfront_client.distributions.values():
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = distribution.region
             report.resource_arn = distribution.arn
             report.resource_id = distribution.id

providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled.metadata.json

@@ -1,35 +1,38 @@
 {
-    "Provider": "aws",
-    "CheckID": "cloudtrail_cloudwatch_logging_enabled",
-    "CheckTitle": "Ensure CloudTrail trails are integrated with CloudWatch Logs",
-    "CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
-    "ServiceName": "cloudtrail",
-    "SubServiceName": "",
-    "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
-    "Severity": "low",
-    "ResourceType": "AwsCloudTrailTrail",
-    "Description": "Ensure CloudTrail trails are integrated with CloudWatch Logs",
-    "Risk": "Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user; API; resource; and IP address; and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.",
-    "RelatedUrl": "",
-    "Remediation": {
-      "Code": {
-        "CLI": "aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-group- arn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>",
-        "NativeIaC": "",
-        "Other": "https://docs.bridgecrew.io/docs/logging_4#aws-console",
-        "Terraform": ""
-      },
-      "Recommendation": {
-        "Text": "Validate that the trails in CloudTrail has an arn set in the CloudWatchLogsLogGroupArn property.",
-        "Url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html"
-      }
+  "Provider": "aws",
+  "CheckID": "cloudtrail_cloudwatch_logging_enabled",
+  "CheckTitle": "Ensure CloudTrail trails are integrated with CloudWatch Logs",
+  "CheckType": [
+    "Software and Configuration Checks",
+    "Industry and Regulatory Standards",
+    "CIS AWS Foundations Benchmark"
+  ],
+  "ServiceName": "cloudtrail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "low",
+  "ResourceType": "AwsCloudTrailTrail",
+  "Description": "Ensure CloudTrail trails are integrated with CloudWatch Logs",
+  "Risk": "Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user; API; resource; and IP address; and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-group- arn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>",
+      "NativeIaC": "",
+      "Other": "https://docs.bridgecrew.io/docs/logging_4#aws-console",
+      "Terraform": ""
     },
-    "Categories": [],
-    "Tags": {
-      "Tag1Key": "value",
-      "Tag2Key": "value"
-    },
-    "DependsOn": [],
-    "RelatedTo": [],
-    "Notes": "",
-    "Compliance": []
+    "Recommendation": {
+      "Text": "Validate that the trails in CloudTrail has an arn set in the CloudWatchLogsLogGroupArn property.",
+      "Url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
 }

providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled.py

@@ -11,7 +11,7 @@ class cloudtrail_cloudwatch_logging_enabled(Check):
         findings = []
         for trail in cloudtrail_client.trails:
             if trail.name:
-                report = Check_Report(self.metadata)
+                report = Check_Report(self.metadata())
                 report.region = trail.region
                 report.resource_id = trail.name
                 report.resource_arn = trail.arn

providers/aws/services/cloudtrail/cloudtrail_kms_encryption_enabled/cloudtrail_kms_encryption_enabled.metadata.json

@@ -1,35 +1,38 @@
 {
-    "Provider": "aws",
-    "CheckID": "cloudtrail_kms_encryption_enabled",
-    "CheckTitle": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs",
-    "CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
-    "ServiceName": "cloudtrail",
-    "SubServiceName": "",
-    "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
-    "Severity": "medium",
-    "ResourceType": "AwsCloudTrailTrail",
-    "Description": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs",
-    "Risk": "By default; the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable; you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files.",
-    "RelatedUrl": "",
-    "Remediation": {
-      "Code": {
-        "CLI": "aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key> aws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy>",
-        "NativeIaC": "https://docs.bridgecrew.io/docs/logging_7#fix---buildtime",
-        "Other": "",
-        "Terraform": ""
-      },
-      "Recommendation": {
-        "Text": "This approach has the following advantages: You can create and manage the CMK encryption keys yourself. You can use a single CMK to encrypt and decrypt log files for multiple accounts across all regions. You have control over who can use your key for encrypting and decrypting CloudTrail log files. You can assign permissions for the key to the users. You have enhanced security.",
-        "Url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html"
-      }
+  "Provider": "aws",
+  "CheckID": "cloudtrail_kms_encryption_enabled",
+  "CheckTitle": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs",
+  "CheckType": [
+    "Software and Configuration Checks",
+    "Industry and Regulatory Standards",
+    "CIS AWS Foundations Benchmark"
+  ],
+  "ServiceName": "cloudtrail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsCloudTrailTrail",
+  "Description": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs",
+  "Risk": "By default; the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable; you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files.",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key> aws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy>",
+      "NativeIaC": "https://docs.bridgecrew.io/docs/logging_7#fix---buildtime",
+      "Other": "",
+      "Terraform": ""
     },
-    "Categories": [],
-    "Tags": {
-      "Tag1Key": "value",
-      "Tag2Key": "value"
-    },
-    "DependsOn": [],
-    "RelatedTo": [],
-    "Notes": "",
-    "Compliance": []
-  }
+    "Recommendation": {
+      "Text": "This approach has the following advantages: You can create and manage the CMK encryption keys yourself. You can use a single CMK to encrypt and decrypt log files for multiple accounts across all regions. You have control over who can use your key for encrypting and decrypting CloudTrail log files. You can assign permissions for the key to the users. You have enhanced security.",
+      "Url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

providers/aws/services/cloudtrail/cloudtrail_kms_encryption_enabled/cloudtrail_kms_encryption_enabled.py

@@ -7,7 +7,7 @@ class cloudtrail_kms_encryption_enabled(Check):
         findings = []
         for trail in cloudtrail_client.trails:
             if trail.name:
-                report = Check_Report(self.metadata)
+                report = Check_Report(self.metadata())
                 report.region = trail.region
                 report.resource_id = trail.name
                 report.resource_arn = trail.arn

providers/aws/services/cloudtrail/cloudtrail_log_file_validation_enabled/cloudtrail_log_file_validation_enabled.metadata.json

@@ -1,35 +1,38 @@
 {
-    "Provider": "aws",
-    "CheckID": "cloudtrail_log_file_validation_enabled",
-    "CheckTitle": "Ensure CloudTrail log file validation is enabled",
-    "CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
-    "ServiceName": "cloudtrail",
-    "SubServiceName": "",
-    "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
-    "Severity": "medium",
-    "ResourceType": "AwsCloudTrailTrail",
-    "Description": "Ensure CloudTrail log file validation is enabled",
-    "Risk": "Enabling log file validation will provide additional integrity checking of CloudTrail logs. ",
-    "RelatedUrl": "",
-    "Remediation": {
-      "Code": {
-        "CLI": "aws cloudtrail update-trail --name <trail_name>  --enable-log-file-validation",
-        "NativeIaC": "https://docs.bridgecrew.io/docs/logging_2#cloudformation",
-        "Other": "",
-        "Terraform": "https://docs.bridgecrew.io/docs/logging_2#terraform"
-      },
-      "Recommendation": {
-        "Text": "Ensure LogFileValidationEnabled is set to true for each trail.",
-        "Url": "http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-filevalidation-enabling.html"
-      }
+  "Provider": "aws",
+  "CheckID": "cloudtrail_log_file_validation_enabled",
+  "CheckTitle": "Ensure CloudTrail log file validation is enabled",
+  "CheckType": [
+    "Software and Configuration Checks",
+    "Industry and Regulatory Standards",
+    "CIS AWS Foundations Benchmark"
+  ],
+  "ServiceName": "cloudtrail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsCloudTrailTrail",
+  "Description": "Ensure CloudTrail log file validation is enabled",
+  "Risk": "Enabling log file validation will provide additional integrity checking of CloudTrail logs. ",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws cloudtrail update-trail --name <trail_name>  --enable-log-file-validation",
+      "NativeIaC": "https://docs.bridgecrew.io/docs/logging_2#cloudformation",
+      "Other": "",
+      "Terraform": "https://docs.bridgecrew.io/docs/logging_2#terraform"
     },
-    "Categories": [],
-    "Tags": {
-      "Tag1Key": "value",
-      "Tag2Key": "value"
-    },
-    "DependsOn": [],
-    "RelatedTo": [],
-    "Notes": "",
-    "Compliance": []
-  }
+    "Recommendation": {
+      "Text": "Ensure LogFileValidationEnabled is set to true for each trail.",
+      "Url": "http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-filevalidation-enabling.html"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

providers/aws/services/cloudtrail/cloudtrail_log_file_validation_enabled/cloudtrail_log_file_validation_enabled.py

@@ -7,7 +7,7 @@ class cloudtrail_log_file_validation_enabled(Check):
         findings = []
         for trail in cloudtrail_client.trails:
             if trail.name:
-                report = Check_Report(self.metadata)
+                report = Check_Report(self.metadata())
                 report.region = trail.region
                 report.resource_id = trail.name
                 report.resource_arn = trail.arn

providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.metadata.json

@@ -1,35 +1,38 @@
 {
-    "Provider": "aws",
-    "CheckID": "cloudtrail_logs_s3_bucket_access_logging_enabled",
-    "CheckTitle": "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket",
-    "CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
-    "ServiceName": "cloudtrail",
-    "SubServiceName": "",
-    "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
-    "Severity": "medium",
-    "ResourceType": "AwsCloudTrailTrail",
-    "Description": "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket",
-    "Risk": "Server access logs can assist you in security and access audits; help you learn about your customer base; and understand your Amazon S3 bill.",
-    "RelatedUrl": "",
-    "Remediation": {
-      "Code": {
-        "CLI": "",
-        "NativeIaC": "",
-        "Other": "https://docs.bridgecrew.io/docs/logging_6#aws-console",
-        "Terraform": ""
-      },
-      "Recommendation": {
-        "Text": "Ensure that S3 buckets have Logging enabled. CloudTrail data events can be used in place of S3 bucket logging. If that is the case; this finding can be considered a false positive.",
-        "Url": "https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html"
-      }
+  "Provider": "aws",
+  "CheckID": "cloudtrail_logs_s3_bucket_access_logging_enabled",
+  "CheckTitle": "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket",
+  "CheckType": [
+    "Software and Configuration Checks",
+    "Industry and Regulatory Standards",
+    "CIS AWS Foundations Benchmark"
+  ],
+  "ServiceName": "cloudtrail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsCloudTrailTrail",
+  "Description": "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket",
+  "Risk": "Server access logs can assist you in security and access audits; help you learn about your customer base; and understand your Amazon S3 bill.",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "https://docs.bridgecrew.io/docs/logging_6#aws-console",
+      "Terraform": ""
     },
-    "Categories": [],
-    "Tags": {
-      "Tag1Key": "value",
-      "Tag2Key": "value"
-    },
-    "DependsOn": [],
-    "RelatedTo": [],
-    "Notes": "",
-    "Compliance": []
-  }
+    "Recommendation": {
+      "Text": "Ensure that S3 buckets have Logging enabled. CloudTrail data events can be used in place of S3 bucket logging. If that is the case; this finding can be considered a false positive.",
+      "Url": "https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py

@@ -9,7 +9,7 @@ class cloudtrail_logs_s3_bucket_access_logging_enabled(Check):
         for trail in cloudtrail_client.trails:
             if trail.name:
                 trail_bucket = trail.s3_bucket
-                report = Check_Report(self.metadata)
+                report = Check_Report(self.metadata())
                 report.region = trail.region
                 report.resource_id = trail.name
                 report.resource_arn = trail.arn

providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.metadata.json

@@ -1,35 +1,38 @@
 {
-    "Provider": "aws",
-    "CheckID": "cloudtrail_logs_s3_bucket_is_not_publicly_accessible",
-    "CheckTitle": "Ensure the S3 bucket CloudTrail logs is not publicly accessible",
-    "CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
-    "ServiceName": "cloudtrail",
-    "SubServiceName": "",
-    "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
-    "Severity": "critical",
-    "ResourceType": "AwsCloudTrailTrail",
-    "Description": "Ensure the S3 bucket CloudTrail logs to is not publicly accessible",
-    "Risk": "Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected accounts use or configuration.",
-    "RelatedUrl": "",
-    "Remediation": {
-      "Code": {
-        "CLI": "",
-        "NativeIaC": "",
-        "Other": "https://docs.bridgecrew.io/docs/logging_3#aws-console",
-        "Terraform": ""
-      },
-      "Recommendation": {
-        "Text": "Analyze Bucket policy to validate appropriate permissions. Ensure the AllUsers principal is not granted privileges. Ensure the AuthenticatedUsers principal is not granted privileges.",
-        "Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html"
-      }
+  "Provider": "aws",
+  "CheckID": "cloudtrail_logs_s3_bucket_is_not_publicly_accessible",
+  "CheckTitle": "Ensure the S3 bucket CloudTrail logs is not publicly accessible",
+  "CheckType": [
+    "Software and Configuration Checks",
+    "Industry and Regulatory Standards",
+    "CIS AWS Foundations Benchmark"
+  ],
+  "ServiceName": "cloudtrail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "critical",
+  "ResourceType": "AwsCloudTrailTrail",
+  "Description": "Ensure the S3 bucket CloudTrail logs to is not publicly accessible",
+  "Risk": "Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected accounts use or configuration.",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "https://docs.bridgecrew.io/docs/logging_3#aws-console",
+      "Terraform": ""
     },
-    "Categories": [],
-    "Tags": {
-      "Tag1Key": "value",
-      "Tag2Key": "value"
-    },
-    "DependsOn": [],
-    "RelatedTo": [],
-    "Notes": "",
-    "Compliance": []
-  }
+    "Recommendation": {
+      "Text": "Analyze Bucket policy to validate appropriate permissions. Ensure the AllUsers principal is not granted privileges. Ensure the AuthenticatedUsers principal is not granted privileges.",
+      "Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.py

@@ -9,7 +9,7 @@ class cloudtrail_logs_s3_bucket_is_not_publicly_accessible(Check):
         for trail in cloudtrail_client.trails:
             if trail.name:
                 trail_bucket = trail.s3_bucket
-                report = Check_Report(self.metadata)
+                report = Check_Report(self.metadata())
                 report.region = trail.region
                 report.resource_id = trail.name
                 report.resource_arn = trail.arn

providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled.metadata.json

@@ -1,46 +1,38 @@
 {
-    "Provider": "aws",
-    "CheckID": "cloudtrail_multi_region_enabled",
-    "CheckTitle": "Ensure CloudTrail is enabled in all regions",
-    "CheckType": ["Software and Configuration Checks", "Industry and Regulatory Standards" ,"CIS AWS Foundations Benchmark"],
-    "ServiceName": "cloudtrail",
-    "SubServiceName": "",
-    "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
-    "Severity": "high",
-    "ResourceType": "AwsCloudTrailTrail",
-    "Description": "Ensure CloudTrail is enabled in all regions",
-    "Risk": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller; the time of the API call; the source IP address of the API caller; the request parameters; and the response elements returned by the AWS service.",
-    "RelatedUrl": "",
-    "Remediation": {
-      "Code": {
-        "CLI": "aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail ",
-        "NativeIaC": "https://docs.bridgecrew.io/docs/logging_1#cloudformation",
-        "Other": "https://docs.bridgecrew.io/docs/logging_1#aws-console",
-        "Terraform": "https://docs.bridgecrew.io/docs/logging_1#terraform"
-      },
-      "Recommendation": {
-        "Text": "Ensure Logging is set to ON on all regions (even if they are not being used at the moment.",
-        "Url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events"
-      }
+  "Provider": "aws",
+  "CheckID": "cloudtrail_multi_region_enabled",
+  "CheckTitle": "Ensure CloudTrail is enabled in all regions",
+  "CheckType": [
+    "Software and Configuration Checks",
+    "Industry and Regulatory Standards",
+    "CIS AWS Foundations Benchmark"
+  ],
+  "ServiceName": "cloudtrail",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "high",
+  "ResourceType": "AwsCloudTrailTrail",
+  "Description": "Ensure CloudTrail is enabled in all regions",
+  "Risk": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller; the time of the API call; the source IP address of the API caller; the request parameters; and the response elements returned by the AWS service.",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail ",
+      "NativeIaC": "https://docs.bridgecrew.io/docs/logging_1#cloudformation",
+      "Other": "https://docs.bridgecrew.io/docs/logging_1#aws-console",
+      "Terraform": "https://docs.bridgecrew.io/docs/logging_1#terraform"
     },
-    "Categories": [],
-    "Tags": {
-      "Tag1Key": "value",
-      "Tag2Key": "value"
-    },
-    "DependsOn": [],
-    "RelatedTo": [],
-    "Notes": "",
-    "Compliance": [
-      {
-        "Control": [
-          "2.1"
-        ],
-        "Framework": "CIS-AWS",
-        "Group": [
-          "level1"
-        ],
-        "Version": "1.4"
-      }
-    ]
-  }
+    "Recommendation": {
+      "Text": "Ensure Logging is set to ON on all regions (even if they are not being used at the moment.",
+      "Url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled.py

@@ -7,7 +7,7 @@ class cloudtrail_multi_region_enabled(Check):
         findings = []
         actual_region = None
         for trail in cloudtrail_client.trails:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = trail.region
             if trail.name:  # Check if there are trails in region
                 # Check if region has changed and add report of previous region

providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.metadata.json

@@ -32,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.py

@@ -5,7 +5,7 @@ from providers.aws.services.cloudtrail.cloudtrail_client import cloudtrail_clien
 class cloudtrail_s3_dataevents_read_enabled(Check):
     def execute(self):
         findings = []
-        report = Check_Report(self.metadata)
+        report = Check_Report(self.metadata())
         report.region = cloudtrail_client.region
         report.resource_id = "No trails"
         report.resource_arn = "No trails"

providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.metadata.json

@@ -32,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.py

@@ -5,7 +5,7 @@ from providers.aws.services.cloudtrail.cloudtrail_client import cloudtrail_clien
 class cloudtrail_s3_dataevents_write_enabled(Check):
     def execute(self):
         findings = []
-        report = Check_Report(self.metadata)
+        report = Check_Report(self.metadata())
         report.region = cloudtrail_client.region
         report.resource_id = "No trails"
         report.resource_arn = "No trails"

providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "cloudwatch_changes_to_network_acls_alarm_configured",
   "CheckTitle": "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL).",
-  "CheckType": ["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],
+  "CheckType": [
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+  ],
   "ServiceName": "cloudwatch",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:cloudwatch:region:account-id:certificate/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "Logging and Monitoring",
-  "Compliance": []
+  "Notes": "Logging and Monitoring"
 }

providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py

@@ -10,7 +10,7 @@ class cloudwatch_changes_to_network_acls_alarm_configured(Check):
     def execute(self):
         pattern = r"\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation"
         findings = []
-        report = Check_Report(self.metadata)
+        report = Check_Report(self.metadata())
         report.status = "FAIL"
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."

providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "cloudwatch_changes_to_network_gateways_alarm_configured",
   "CheckTitle": "Ensure a log metric filter and alarm exist for changes to network gateways.",
-  "CheckType": ["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],
+  "CheckType": [
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+  ],
   "ServiceName": "cloudwatch",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:cloudwatch:region:account-id:certificate/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "Logging and Monitoring",
-  "Compliance": []
+  "Notes": "Logging and Monitoring"
 }

providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py

@@ -10,7 +10,7 @@ class cloudwatch_changes_to_network_gateways_alarm_configured(Check):
     def execute(self):
         pattern = r"\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway"
         findings = []
-        report = Check_Report(self.metadata)
+        report = Check_Report(self.metadata())
         report.status = "FAIL"
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."

providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "cloudwatch_changes_to_network_route_tables_alarm_configured",
   "CheckTitle": "Ensure a log metric filter and alarm exist for route table changes.",
-  "CheckType": ["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],
+  "CheckType": [
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+  ],
   "ServiceName": "cloudwatch",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:cloudwatch:region:account-id:certificate/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "Logging and Monitoring",
-  "Compliance": []
+  "Notes": "Logging and Monitoring"
 }

providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py

@@ -10,7 +10,7 @@ class cloudwatch_changes_to_network_route_tables_alarm_configured(Check):
     def execute(self):
         pattern = r"\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable"
         findings = []
-        report = Check_Report(self.metadata)
+        report = Check_Report(self.metadata())
         report.status = "FAIL"
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."

providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "cloudwatch_changes_to_vpcs_alarm_configured",
   "CheckTitle": "Ensure a log metric filter and alarm exist for VPC changes.",
-  "CheckType": ["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],
+  "CheckType": [
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+  ],
   "ServiceName": "cloudwatch",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:cloudwatch:region:account-id:certificate/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "Logging and Monitoring",
-  "Compliance": []
+  "Notes": "Logging and Monitoring"
 }

providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py

@@ -10,7 +10,7 @@ class cloudwatch_changes_to_vpcs_alarm_configured(Check):
     def execute(self):
         pattern = r"\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink"
         findings = []
-        report = Check_Report(self.metadata)
+        report = Check_Report(self.metadata())
         report.status = "FAIL"
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."

providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "cloudwatch_cross_account_sharing_disabled",
   "CheckTitle": "Check if CloudWatch has allowed cross-account sharing.",
-  "CheckType": ["Logging and Monitoring"],
+  "CheckType": [
+    "Logging and Monitoring"
+  ],
   "ServiceName": "cloudwatch",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:cloudwatch:region:account-id:certificate/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.py

@@ -5,7 +5,7 @@ from providers.aws.services.iam.iam_client import iam_client
 class cloudwatch_cross_account_sharing_disabled(Check):
     def execute(self):
         findings = []
-        report = Check_Report(self.metadata)
+        report = Check_Report(self.metadata())
         report.status = "PASS"
         report.status_extended = "CloudWatch doesn't allows cross-account sharing"
         report.resource_id = "CloudWatch-CrossAccountSharingRole"

providers/aws/services/cloudwatch/cloudwatch_log_group_kms_encryption_enabled/cloudwatch_log_group_kms_encryption_enabled.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "cloudwatch_log_group_kms_encryption_enabled",
   "CheckTitle": "Check if CloudWatch log groups are protected by AWS KMS.",
-  "CheckType": ["Data Protection"],
+  "CheckType": [
+    "Data Protection"
+  ],
   "ServiceName": "cloudwatch",
   "SubServiceName": "logs",
   "ResourceIdTemplate": "arn:partition:cloudwatch:region:account-id:certificate/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/cloudwatch/cloudwatch_log_group_kms_encryption_enabled/cloudwatch_log_group_kms_encryption_enabled.py

@@ -6,7 +6,7 @@ class cloudwatch_log_group_kms_encryption_enabled(Check):
     def execute(self):
         findings = []
         for log_group in logs_client.log_groups:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = log_group.region
             report.resource_id = log_group.name
             report.resource_arn = log_group.arn

providers/aws/services/cloudwatch/cloudwatch_log_group_retention_policy_specific_days_enabled/cloudwatch_log_group_retention_policy_specific_days_enabled.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "cloudwatch_log_group_retention_policy_specific_days_enabled",
   "CheckTitle": "Check if CloudWatch Log Groups have a retention policy of specific days.",
-  "CheckType": ["Data Retention"],
+  "CheckType": [
+    "Data Retention"
+  ],
   "ServiceName": "cloudwatch",
   "SubServiceName": "logs",
   "ResourceIdTemplate": "arn:partition:cloudwatch:region:account-id:certificate/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "",
-  "Compliance": []
+  "Notes": ""
 }

providers/aws/services/cloudwatch/cloudwatch_log_group_retention_policy_specific_days_enabled/cloudwatch_log_group_retention_policy_specific_days_enabled.py

@@ -8,7 +8,7 @@ class cloudwatch_log_group_retention_policy_specific_days_enabled(Check):
         findings = []
         specific_retention_days = get_config_var("log_group_retention_days")
         for log_group in logs_client.log_groups:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
             report.region = log_group.region
             report.resource_id = log_group.name
             report.resource_arn = log_group.arn

providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled",
   "CheckTitle": "Ensure a log metric filter and alarm exist for AWS Config configuration changes.",
-  "CheckType": ["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],
+  "CheckType": [
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+  ],
   "ServiceName": "cloudwatch",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:cloudwatch:region:account-id:certificate/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "Logging and Monitoring",
-  "Compliance": []
+  "Notes": "Logging and Monitoring"
 }

providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py

@@ -12,7 +12,7 @@ class cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_change
     def execute(self):
         pattern = r"\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder"
         findings = []
-        report = Check_Report(self.metadata)
+        report = Check_Report(self.metadata())
         report.status = "FAIL"
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."

providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.metadata.json

@@ -2,7 +2,9 @@
   "Provider": "aws",
   "CheckID": "cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled",
   "CheckTitle": "Ensure a log metric filter and alarm exist for CloudTrail configuration changes.",
-  "CheckType": ["Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"],
+  "CheckType": [
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+  ],
   "ServiceName": "cloudwatch",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:partition:cloudwatch:region:account-id:certificate/resource-id",
@@ -30,6 +32,5 @@
   },
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "Logging and Monitoring",
-  "Compliance": []
+  "Notes": "Logging and Monitoring"
 }

providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py

@@ -12,7 +12,7 @@ class cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_change
     def execute(self):
         pattern = r"\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging"
         findings = []
-        report = Check_Report(self.metadata)
+        report = Check_Report(self.metadata())
         report.status = "FAIL"
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."