Requesting an additional framework: CIS AWS Compute Services Benchmark v1.0.0

[Jawand-a]

New feature motivation

We would like to use Prowler for AWS compliance but Prowler doesn't include all of the relevant frameworks, specifically CIS AWS Compute Services Benchmark v1.0.0.

Solution Proposed

Adding the CIS AWS Compute Services Benchmark v1.0.0 to Prowler AWS compliance.
CIS_AWS_Compute_Services_Benchmark_v1.0.0.pdf

Describe alternatives you've considered

Prowler offers CIS AWS foundations in version 1.4, 1.5, and 2.0 but doesn't include the computer services benchmark.

Additional context

This CIS benchmark was released in April, found at https://www.cisecurity.org/insights/blog/cis-benchmarks-april-2023-update#NewCISAWSComputeServicesBenchmarkv1.0.0

[toniblyx]

Thanks for asking @Jawand-Appian, as you can see below, we cover some of the checks already (14 checks), however others need to be written (38 checks). To be honest it is the first time we have been asked for this CIS Benchmark and considering it is v1 and v1.1 is coming up, let´s see if it really makes sense to cover all of them. In any case feel free to contribute with any check that you need and we can help you bulding the compliance json if needed like in prowler/compliance/aws/cis_2.0_aws.json

here is the excel if you want to work on it
CIS_AWS_Compute_Services_Benchmark_v1.0.0.xlsx

[Jawand-a]

@toniblyx thank you for your response/insight. Quick questions:

1. Some of the benchmarks available on Prowler like "Ensure Secrets and Sensitive Data are not stored directly in EC2 User Data" I see under services, others like "Ensure an Organizational EC2 Tag Policy has been Created" I'm not able to find (maybe it's named differently). Is there a way to find checks already implemented in prowler?
2. Is there documentation on what information a check has? I see a developer guide on creating a new check/security compliance framework but not on actually developing the check itself.

[toniblyx]

1. [ec2_instance_secrets_user_data] Find secrets in EC2 User Data. - ec2 [critical] and
   [organizations_tags_policies_enabled_and_attached] Check if an AWS Organization has tags policies enabled and attached. - organizations [medium]
   you can use prowler <provider> -l to list all available checks on each provider (aws, gcp, azure).

2. Best place to get information about what a check does is on each check metadata.json file. In the devel guide you have instructions on how to create a check, see here.

[toniblyx]

Remember that for Prowler every compliance framework (CIS, PCI, NIST, etc.) is a list of specific and special requirements that can be automated or manual so, one CIS requirement maps usually with one Prowler check, but not in all cases. If the requirement is manual doesn't map with any check and in some cases a requirement maps with multiple checks.