prowler-cloud
Creates and manages Prowler compliance frameworks. Trigger: When working with compliance frameworks (CIS, NIST, PCI-DSS, SOC2, GDPR, ISO27001, ENS, MITRE ATT&CK).
bunx add-skill prowler-cloud/prowler -s prowler-complianceLoading…
Use this skill when:
Frameworks are JSON files located in: prowler/compliance/{provider}/{framework_name}_{provider}.json
Supported Providers:
aws - Amazon Web Servicesazure - Microsoft Azuregcp - Google Cloud Platformkubernetes - Kubernetesgithub - GitHubm365 - Microsoft 365alibabacloud - Alibaba Cloudcloudflare - Cloudflareoraclecloud - Oracle Cloudoci - Oracle Cloud Infrastructurenhn - NHN Cloudmongodbatlas - MongoDB Atlasiac - Infrastructure as Codellm - Large Language ModelsAll compliance frameworks share this base structure:
{
"Framework": "FRAMEWORK_NAME",
"Name": "Full Framework Name with Version",
"Version": "X.X",
"Provider": "PROVIDER",
"Description": "Framework description...",
"Requirements": [
{
"Id": "requirement_id",
"Description": "Requirement description",
"Name": "Optional requirement name",
"Attributes": [...],
"Checks": ["check_name_1", "check_name_2"]
}
]
}
Each framework type has its own attribute model. Below are the exact structures used by Prowler:
Framework ID format: cis_{version}_{provider} (e.g., cis_5.0_aws)
{
"Id": "1.1",
"Description": "Maintain current contact details",
"Checks": ["account_maintain_current_contact_details"],
"Attributes": [
{
"Section": "1 Identity and Access Management",
"SubSection": "Optional subsection",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Detailed attribute description",
"RationaleStatement": "Why this control matters",
"ImpactStatement": "Impact of implementing this control",
"RemediationProcedure": "Steps to fix the issue",
"AuditProcedure": "Steps to verify compliance",
"AdditionalInformation": "Extra notes",
"DefaultValue": "Default configuration value",
"References": "https://docs.example.com/reference"
}
]
}
Profile values: Level 1, Level 2, E3 Level 1, E3 Level 2, E5 Level 1, E5 Level 2
AssessmentStatus values: Automated, Manual
Framework ID format: iso27001_{year}_{provider} (e.g., iso27001_2022_aws)
{
"Id": "A.5.1",
"Description": "Policies for information security should be defined...",
"Name": "Policies for information security",
"Checks": ["securityhub_enabled"],
"Attributes": [
{
"Category": "A.5 Organizational controls",
"Objetive_ID": "A.5.1",
"Objetive_Name": "Policies for information security",
"Check_Summary": "Summary of what is being checked"
}
]
}
Note: Objetive_ID and Objetive_Name use this exact spelling (not "Objective").
Framework ID format: ens_rd2022_{provider} (e.g., ens_rd2022_aws)
{
"Id": "op.acc.1.aws.iam.2",
"Description": "Proveedor de identidad centralizado",
"Checks": ["iam_check_saml_providers_sts"],
"Attributes": [
{
"IdGrupoControl": "op.acc.1",
"Marco": "operacional",
"Categoria": "control de acceso",
"DescripcionControl": "Detailed control description in Spanish",
"Nivel": "alto",
"Tipo": "requisito",
"Dimensiones": ["trazabilidad", "autenticidad"],
"ModoEjecucion": "automatico",
"Dependencias": []
}
]
}
Nivel values: opcional, bajo, medio, alto
Tipo values: refuerzo, requisito, recomendacion, medida
Dimensiones values: confidencialidad, integridad, trazabilidad, autenticidad, disponibilidad
Framework ID format: mitre_attack_{provider} (e.g., mitre_attack_aws)
MITRE uses a different requirement structure:
{
"Name": "Exploit Public-Facing Application",
"Id": "T1190",
"Tactics": ["Initial Access"],
"SubTechniques": [],
"Platforms": ["Containers", "IaaS", "Linux", "Network", "Windows", "macOS"],
"Description": "Adversaries may attempt to exploit a weakness...",
"TechniqueURL": "https://attack.mitre.org/techniques/T1190/",
"Checks": ["guardduty_is_enabled", "inspector2_is_enabled"],
"Attributes": [
{
"AWSService": "Amazon GuardDuty",
"Category": "Detect",
"Value": "Minimal",
"Comment": "Explanation of how this service helps..."
}
]
}
For Azure: Use AzureService instead of AWSService
For GCP: Use GCPService instead of AWSService
Category values: Detect, Protect, Respond
Value values: Minimal, Partial, Significant
Framework ID format: nist_800_53_revision_{version}_{provider} (e.g., nist_800_53_revision_5_aws)
{
"Id": "ac_2_1",
"Name": "AC-2(1) Automated System Account Management",
"Description": "Support the management of system accounts...",
"Checks": ["iam_password_policy_minimum_length_14"],
"Attributes": [
{
"ItemId": "ac_2_1",
"Section": "Access Control (AC)",
"SubSection": "Account Management (AC-2)",
"SubGroup": "AC-2(3) Disable Accounts",
"Service": "iam"
}
]
}
For frameworks without specific attribute models:
{
"Id": "requirement_id",
"Description": "Requirement description",
"Name": "Optional name",
"Checks": ["check_name"],
"Attributes": [
{
"ItemId": "item_id",
"Section": "Section name",
"SubSection": "Subsection name",
"SubGroup": "Subgroup name",
"Service": "service_name",
"Type": "type"
}
]
}
Framework ID format: aws_well_architected_framework_{pillar}_pillar_aws
{
"Id": "SEC01-BP01",
"Description": "Establish common guardrails...",
"Name": "Establish common guardrails",
"Checks": ["account_part_of_organizations"],
"Attributes": [
{
"Name": "Establish common guardrails",
"WellArchitectedQuestionId": "securely-operate",
"WellArchitectedPracticeId": "sec_securely_operate_multi_accounts",
"Section": "Security",
"SubSection": "Security foundations",
"LevelOfRisk": "High",
"AssessmentMethod": "Automated",
"Description": "Detailed description",
"ImplementationGuidanceUrl": "https://docs.aws.amazon.com/..."
}
]
}
Framework ID format: kisa_isms_p_{year}_{provider} (e.g., kisa_isms_p_2023_aws)
{
"Id": "1.1.1",
"Description": "Requirement description",
"Name": "Requirement name",
"Checks": ["check_name"],
"Attributes": [
{
"Domain": "1. Management System",
"Subdomain": "1.1 Management System Establishment",
"Section": "1.1.1 Section Name",
"AuditChecklist": ["Checklist item 1", "Checklist item 2"],
"RelatedRegulations": ["Regulation 1"],
"AuditEvidence": ["Evidence type 1"],
"NonComplianceCases": ["Non-compliance example"]
}
]
}
Framework ID format: c5_{provider} (e.g., c5_aws)
{
"Id": "BCM-01",
"Description": "Requirement description",
"Name": "Requirement name",
"Checks": ["check_name"],
"Attributes": [
{
"Section": "BCM Business Continuity Management",
"SubSection": "BCM-01",
"Type": "Basic Criteria",
"AboutCriteria": "Description of criteria",
"ComplementaryCriteria": "Additional criteria"
}
]
}
Framework ID format: ccc_{provider} (e.g., ccc_aws)
{
"Id": "CCC.C01",
"Description": "Requirement description",
"Name": "Requirement name",
"Checks": ["check_name"],
"Attributes": [
{
"FamilyName": "Cryptography & Key Management",
"FamilyDescription": "Family description",
"Section": "CCC.C01",
"SubSection": "Key Management",
"SubSectionObjective": "Objective description",
"Applicability": ["IaaS", "PaaS", "SaaS"],
"Recommendation": "Recommended action",
"SectionThreatMappings": [{"threat": "T1190"}],
"SectionGuidelineMappings": [{"guideline": "NIST"}]
}
]
}
Framework ID format: prowler_threatscore_{provider} (e.g., prowler_threatscore_aws)
Prowler ThreatScore is a custom security scoring framework developed by Prowler that evaluates AWS account security based on four main pillars:
| Pillar | Description |
|---|---|
| 1. IAM | Identity and Access Management controls (authentication, authorization, credentials) |
| 2. Attack Surface | Network exposure, public resources, security group rules |
| 3. Logging and Monitoring | Audit logging, threat detection, forensic readiness |
| 4. Encryption | Data at rest and in transit encryption |
Scoring System:
5 = Critical (e.g., root MFA, public S3 buckets)4 = High (e.g., user MFA, public EC2)3 = Medium (e.g., password policies, encryption)2 = Low1 = Informational1000 = Critical controls (root security, public exposure)100 = High-impact controls (user authentication, monitoring)10 = Standard controls (password policies, encryption)1 = Low-impact controls (best practices){
"Id": "1.1.1",
"Description": "Ensure MFA is enabled for the 'root' user account",
"Checks": ["iam_root_mfa_enabled"],
"Attributes": [
{
"Title": "MFA enabled for 'root'",
"Section": "1. IAM",
"SubSection": "1.1 Authentication",
"AttributeDescription": "The root user account holds the highest level of privileges within an AWS account. Enabling MFA enhances security by adding an additional layer of protection.",
"AdditionalInformation": "Enabling MFA enhances console security by requiring the authenticating user to both possess a time-sensitive key-generating device and have knowledge of their credentials.",
"LevelOfRisk": 5,
"Weight": 1000
}
]
}
Available for providers: AWS, Kubernetes, M365
| Framework | File Name |
|---|---|
| CIS 1.4, 1.5, 2.0, 3.0, 4.0, 5.0 | cis_{version}_aws.json |
| ISO 27001:2013, 2022 | iso27001_{year}_aws.json |
| NIST 800-53 Rev 4, 5 | nist_800_53_revision_{version}_aws.json |
| NIST 800-171 Rev 2 | nist_800_171_revision_2_aws.json |
| NIST CSF 1.1, 2.0 | nist_csf_{version}_aws.json |
| PCI DSS 3.2.1, 4.0 | pci_{version}_aws.json |
| HIPAA | hipaa_aws.json |
| GDPR | gdpr_aws.json |
| SOC 2 | soc2_aws.json |
| FedRAMP Low/Moderate | fedramp_{level}_revision_4_aws.json |
| ENS RD2022 | ens_rd2022_aws.json |
| MITRE ATT&CK | mitre_attack_aws.json |
| C5 Germany | c5_aws.json |
| CISA | cisa_aws.json |
| FFIEC | ffiec_aws.json |
| RBI Cyber Security | rbi_cyber_security_framework_aws.json |
| AWS Well-Architected | aws_well_architected_framework_{pillar}_pillar_aws.json |
| AWS FTR | aws_foundational_technical_review_aws.json |
| GxP 21 CFR Part 11, EU Annex 11 | gxp_{standard}_aws.json |
| KISA ISMS-P 2023 | kisa_isms_p_2023_aws.json |
| NIS2 | nis2_aws.json |
| Framework | File Name |
|---|---|
| CIS 2.0, 2.1, 3.0, 4.0 | cis_{version}_azure.json |
| ISO 27001:2022 | iso27001_2022_azure.json |
| ENS RD2022 | ens_rd2022_azure.json |
| MITRE ATT&CK | mitre_attack_azure.json |
| PCI DSS 4.0 | pci_4.0_azure.json |
| NIST CSF 2.0 | nist_csf_2.0_azure.json |
| Framework | File Name |
|---|---|
| CIS 2.0, 3.0, 4.0 | cis_{version}_gcp.json |
| ISO 27001:2022 | iso27001_2022_gcp.json |
| HIPAA | hipaa_gcp.json |
| MITRE ATT&CK | mitre_attack_gcp.json |
| PCI DSS 4.0 | pci_4.0_gcp.json |
| NIST CSF 2.0 | nist_csf_2.0_gcp.json |
| Framework | File Name |
|---|---|
| CIS 1.8, 1.10, 1.11 | cis_{version}_kubernetes.json |
| ISO 27001:2022 | iso27001_2022_kubernetes.json |
| PCI DSS 4.0 | pci_4.0_kubernetes.json |
cis_1.0_github.jsoncis_4.0_m365.json, iso27001_2022_m365.jsoniso27001_2022_nhn.jsonChecks: [] for manual-only requirementsName and Version fields{framework}_{version}_{provider}.json# List available frameworks for a provider
prowler {provider} --list-compliance
# Run scan with specific compliance framework
prowler aws --compliance cis_5.0_aws
# Run scan with multiple frameworks
prowler aws --compliance cis_5.0_aws pci_4.0_aws
# Output compliance report in multiple formats
prowler aws --compliance cis_5.0_aws -M csv json html
prowler/lib/check/compliance_models.pyprowler/lib/check/compliance.pyprowler/lib/outputs/compliance/Use when you need to run Flow type checking, or when seeing Flow type errors in React code.
Use when you want to validate changes before committing, or when you need to check all React contribution requirements.
Use when feature flag tests fail, flags need updating, understanding @gate pragmas, debugging channel-specific test failures, or adding new flags to React.
Use when you need to check feature flag states, compare channels, or debug why a feature behaves differently across release channels.