[resotocore][fix] Benchmark refinements (#1496)

* [resotocore][fix] Benchmark refinements

* overwrite again for existing installations

resotocore/resotocore/report/inspector_service.py

@@ -65,7 +65,7 @@ def __init__(self, cli: CLI) -> None:
     async def start(self) -> None:
         # TODO: we need a migration path for checks added in existing configs
         config_ids = {i async for i in self.config_handler.list_config_ids()}
-        overwrite = False  # only here to simplify development. True until we reach a stable version.
+        overwrite = True  # only here to simplify development. True until we reach a stable version.
         # we renamed this config in 3.2.6 - old installations still might have it
         # this line can be removed in a future version
         await self.config_handler.delete_config(ConfigId("resoto.report.benchmark.aws_cis_1.5"))

resotocore/resotocore/static/report/benchmark/aws/aws_cis_1_5.json

@@ -171,35 +171,35 @@
                             "title": "2.1.1 Ensure all S3 buckets employ encryption-at-rest",
                             "description": "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.",
                             "checks": [
-                                "aws_ec2_s3_bucket_default_encryption"
+                                "aws_s3_bucket_default_encryption"
                             ]
                         },
                         {
                             "title": "2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests",
                             "description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.",
                             "checks": [
-                                "aws_ec2_s3_bucket_secure_transport_policy"
+                                "aws_s3_bucket_secure_transport_policy"
                             ]
                         },
                         {
                             "title": "2.1.3 Ensure MFA Delete is enabled on S3 buckets",
                             "description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.",
                             "checks": [
-                                "aws_ec2_s3_bucket_no_mfa_delete"
+                                "aws_s3_bucket_no_mfa_delete"
                             ]
                         },
                         {
                             "title": "2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required",
                             "description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.",
                             "checks": [
-                                "aws_ec2_macie_is_enabled"
+                                "aws_s3_macie_is_enabled"
                             ]
                         },
                         {
                             "title": "2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'",
                             "description": "Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.",
                             "checks": [
-                                "aws_ec2_s3_account_level_public_access_blocks"
+                                "aws_s3_account_level_public_access_blocks"
                             ]
                         }
                     ]

resotocore/resotocore/static/report/checks/aws/aws_apigateway.json

@@ -7,14 +7,14 @@
             "title": "Check if API Gateway has configured authorizers.",
             "result_kind": "aws_api_gateway_rest_api",
             "categories": ["security", "compliance"],
-            "risk": "If no authorizer is enabled anyone can use the service.",
+            "risk": "If no authorizer is defined, anyone can use the service.",
             "severity": "medium",
             "url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html",
             "detect": {
                 "resoto": "is(aws_api_gateway_rest_api) with(empty, --> is(aws_api_gateway_authorizer))"
             },
             "remediation": {
-                "text": "Implement Amazon Cognito or a Lambda function to control access to your API.",
+                "text": "Add a Cognito pool or attach a Lambda function to control access to your API.",
                 "url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html"
             },
             "related": [],
@@ -25,7 +25,7 @@
             "title": "Check if API Gateway has client certificate enabled to access your backend endpoint.",
             "result_kind": "aws_api_gateway_stage",
             "categories": ["security", "compliance"],
-            "risk": "Possible man in the middle attacks and other similar risks.",
+            "risk": "Man in the middle attacks are possible and other similar risks.",
             "severity": "medium",
             "url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-mutual-tls.html",
             "detect": {