chore(aws): enhance metadata for acm service (#8716)

Co-authored-by: Daniel Barranquero <74871504+danibarranqueroo@users.noreply.github.com>
Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

Author: puchy22

prowler/CHANGELOG.md

@@ -17,6 +17,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Config service metadata to new format [(#8641)](https://github.com/prowler-cloud/prowler/pull/8641)
 - Update AWS Api Gateway V2 service metadata to new format [(#8719)](https://github.com/prowler-cloud/prowler/pull/8719)
 - Update AWS AppSync service metadata to new format [(#8721)](https://github.com/prowler-cloud/prowler/pull/8721)
+- Update AWS ACM service metadata to new format [(#8716)](https://github.com/prowler-cloud/prowler/pull/8716)
 - HTML output now properly renders markdown syntax in Risk and Recommendation fields [(#8727)](https://github.com/prowler-cloud/prowler/pull/8727)
 - Update `moto` dependency from 5.0.28 to 5.1.11 [(#7100)](https://github.com/prowler-cloud/prowler/pull/7100)
 

prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.metadata.json

@@ -1,28 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "acm_certificates_expiration_check",
-  "CheckTitle": "Check if ACM Certificates are about to expire in specific days or less",
+  "CheckTitle": "ACM certificate expires in more than the configured threshold of days",
   "CheckType": [
-    "Data Protection"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Denial of Service"
   ],
   "ServiceName": "acm",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:acm:region:account-id:certificate/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsCertificateManagerCertificate",
-  "Description": "Check if ACM Certificates are about to expire in specific days or less",
-  "Risk": "Expired certificates can impact service availability.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html",
+  "Description": "**ACM certificates** are assessed for **time to expiration** against a configurable threshold. Certificates close to end of validity or already expired are surfaced, covering those attached to services and, *if in scope*, unused ones.",
+  "Risk": "Expired or near-expiry **TLS certificates** can break handshakes, causing **service outages** and failed API calls (**availability**). Emergency fixes raise misconfiguration risk, enabling disabled verification or weak ciphers, which allows **MITM** and data exposure (**confidentiality**/**integrity**).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ACM/certificate-expires-in-45-days.html",
+    "https://repost.aws/es/knowledge-center/acm-notification-certificate-renewal",
+    "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html",
+    "https://repost.aws/questions/QU3sMaeZPMRo2kLcsfJsfuVA/acm-notifications-for-expiring-certificates"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. In the AWS Console, open Certificate Manager (ACM)\n2. If the expiring certificate is ACM-issued: select it and complete/restore validation (Create records in Route 53 or add the shown CNAME) so renewal can proceed\n3. If the expiring certificate is imported: click Import a certificate, upload the new certificate and private key, then save\n4. Update the service to use the new/renewed certificate:\n   - ALB/NLB: EC2 > Load Balancers > Listeners > Edit > Change certificate to the new ACM certificate\n   - CloudFront: Distributions > Edit > Viewer certificate > Select the new ACM certificate\n   - API Gateway: Custom domain names > Edit > Choose the new ACM certificate\n5. Verify the old certificate is no longer in use; delete it if not needed",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Monitor certificate expiration and take automated action to renew, replace or remove. Having shorter TTL for any security artifact is a general recommendation, but requires additional automation in place. If not longer required delete certificate. Use AWS config using the managed rule: acm-certificate-expiration-check.",
-      "Url": "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html"
+      "Text": "Adopt **automated certificate lifecycle management**: prefer **ACM-issued certs with auto-renewal**, or integrate imports with an automated renewal/rotation pipeline. Track expirations with alerts, enforce **least privilege** for cert operations, remove unused certs, and test rollovers to avoid downtime.",
+      "Url": "https://hub.prowler.com/check/acm_certificates_expiration_check"
     }
   },
   "Categories": [],

prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.metadata.json

@@ -1,28 +1,32 @@
 {
   "Provider": "aws",
   "CheckID": "acm_certificates_transparency_logs_enabled",
-  "CheckTitle": "Check if ACM certificates have Certificate Transparency logging enabled",
+  "CheckTitle": "ACM certificate is imported or has Certificate Transparency logging enabled",
   "CheckType": [
-    "Logging and Monitoring"
+    "Software and Configuration Checks/AWS Security Best Practices"
   ],
   "ServiceName": "acm",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:acm:region:account-id:certificate/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsCertificateManagerCertificate",
-  "Description": "Check if ACM certificates have Certificate Transparency logging enabled",
-  "Risk": "Domain owners can search the log to identify unexpected certificates, whether issued by mistake or malice. Domain owners can also identify Certificate Authorities (CAs) that are improperly issuing certificates.",
-  "RelatedUrl": "https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/",
+  "Description": "**ACM-issued certificates** are checked for **Certificate Transparency (CT) logging** being enabled. Certificates with type `IMPORTED` are excluded from evaluation.",
+  "Risk": "Disabling **CT logging** reduces visibility into **misissued or rogue certificates**, weakening confidentiality and integrity. Attackers can **impersonate sites** or run **TLS man-in-the-middle** without timely detection. Unlogged public certs may be distrusted by browsers, impacting availability and user trust.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/",
+    "https://support.icompaas.com/support/solutions/articles/62000129491-ensure-acm-certificates-have-certificate-transparency-logging-enabled"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws acm update-certificate-options --certificate-arn <CERTIFICATE_ARN> --options CertificateTransparencyLoggingPreference=ENABLED",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable Certificate Transparency logging on an ACM certificate\nResources:\n  <example_resource_name>:\n    Type: AWS::CertificateManager::Certificate\n    Properties:\n      DomainName: <example_domain_name>\n      CertificateTransparencyLoggingPreference: ENABLED  # Critical: turns on CT logging to pass the check\n```",
+      "Other": "1. Open the AWS Certificate Manager (ACM) console\n2. Select the certificate with transparency logging disabled\n3. Click Actions > Edit transparency logging\n4. Choose Enable transparency logging\n5. Click Save",
+      "Terraform": "```hcl\n# Enable Certificate Transparency logging on an ACM certificate\nresource \"aws_acm_certificate\" \"<example_resource_name>\" {\n  domain_name = \"<example_domain_name>\"\n  options {\n    certificate_transparency_logging_preference = \"ENABLED\"  # Critical: turns on CT logging to pass the check\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Make sure you are logging information about Lambda operations. Create a lifecycle and use cases for each trail.",
-      "Url": "https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/"
+      "Text": "Enable **CT logging** on all ACM-issued public certificates to maintain transparency and rapid revocation.\n\nMonitor CT logs for your domains and alert on unexpected issuances. For sensitive internal names, favor private PKI or non-public hostnames instead of disabling CT, and apply **defense in depth** with short certificate lifetimes.",
+      "Url": "https://hub.prowler.com/check/acm_certificates_transparency_logs_enabled"
     }
   },
   "Categories": [

prowler/providers/aws/services/acm/acm_certificates_with_secure_key_algorithms/acm_certificates_with_secure_key_algorithms.metadata.json

@@ -1,31 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "acm_certificates_with_secure_key_algorithms",
-  "CheckTitle": "Check if ACM Certificates use a secure key algorithm",
+  "CheckTitle": "ACM certificate uses a secure key algorithm",
   "CheckType": [
-    "Data Protection"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)"
   ],
   "ServiceName": "acm",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:acm:region:account-id:certificate/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsCertificateManagerCertificate",
-  "Description": "Check if ACM Certificates use a secure key algorithm (RSA 2048 bits or more, or ECDSA 256 bits or more). For example certificates that use RSA-1024 can be compromised because the encryption could be broken in no more than 2^80 guesses making it vulnerable to a factorization attack.",
-  "Risk": "Certificates with weak RSA or ECDSA keys can be compromised because the length of the key defines the security of the encryption. The number of bits in the key determines the number of guesses an attacker would have to make in order to decrypt the data. The more bits in the key, the more secure the encryption.",
-  "RelatedUrl": "https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html",
+  "Description": "**ACM certificates** are evaluated for the **public key algorithm and size**, identifying those that use weak parameters such as `RSA-1024` or ECDSA `P-192`. Certificates using `RSA-2048+` or ECDSA `P-256+` meet the secure baseline.",
+  "Risk": "**Weak certificate keys** reduce TLS confidentiality and authenticity.\n\nFeasible factoring or discrete log attacks can reveal private keys, enabling **man-in-the-middle**, session decryption, and **certificate spoofing**, leading to data exposure and tampering.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://noise.getoto.net/2022/11/08/how-to-evaluate-and-use-ecdsa-certificates-in-aws-certificate-manager/",
+	"https://docs.aws.amazon.com/acm/latest/userguide/data-protection.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: ACM certificate with secure key algorithm\nResources:\n  <example_resource_name>:\n    Type: AWS::CertificateManager::Certificate\n    Properties:\n      DomainName: <example_domain>\n      KeyAlgorithm: EC_prime256v1  # CRITICAL: ensures a secure key algorithm (RSA-2048+ or ECDSA P-256+)\n```",
+      "Other": "1. In the AWS Console, go to Certificate Manager (ACM)\n2. Click Request a certificate and enter <example_domain>\n3. Under Key algorithm, select ECDSA P-256 (or RSA 2048)\n4. Complete validation (DNS is recommended)\n5. In the service using the certificate (e.g., ALB/CloudFront/API Gateway), replace the old certificate with the new one\n6. Delete the insecure certificate (e.g., RSA-1024 or P-192) once no longer in use.",
+      "Terraform": "```hcl\n# Terraform: ACM certificate with secure key algorithm\nresource \"aws_acm_certificate\" \"<example_resource_name>\" {\n  domain_name   = \"<example_domain>\"\n  key_algorithm = \"EC_prime256v1\"  # CRITICAL: ensures a secure key algorithm (RSA-2048+ or ECDSA P-256+)\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that all ACM certificates use a secure key algorithm. If any certificates use smaller keys, regenerate them with a secure key size and update any systems that rely on these certificates.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/acm-controls.html#acm-2"
+      "Text": "Use **strong algorithms**: `RSA-2048+` or ECDSA `P-256/P-384`. Replace weak or legacy certificates and prevent their use via policy.\n\nPrefer ECDSA where compatible, apply **least privilege** to private keys, enforce modern TLS policies, and automate renewal to maintain cryptographic strength.",
+      "Url": "https://hub.prowler.com/check/acm_certificates_with_secure_key_algorithms"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""