chore(aws): enhance metadata for ec2 service (#9549)

Co-authored-by: Daniel Barranquero <[email protected]>

Author: puchy22

prowler/CHANGELOG.md

@@ -52,6 +52,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS IAM service metadata to new format [(#9550)](https://github.com/prowler-cloud/prowler/pull/9550)
 - Enhance `user_registration_details` perfomance and user `mfa` evaluation [(#9236)](https://github.com/prowler-cloud/prowler/pull/9236)
 - Update AWS Cognito service metadata to new format [(#8853)](https://github.com/prowler-cloud/prowler/pull/8853)
+- Update AWS EC2 service metadata to new format [(#9549)](https://github.com/prowler-cloud/prowler/pull/9549)
 
 ---
 

prowler/providers/aws/services/ec2/ec2_ami_public/ec2_ami_public.metadata.json

@@ -1,29 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "ec2_ami_public",
-  "CheckTitle": "Ensure there are no EC2 AMIs set as Public.",
+  "CheckTitle": "EC2 AMI owned by the account is not public",
   "CheckType": [
-    "Infrastructure Security"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "ec2",
-  "SubServiceName": "ami",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
   "ResourceType": "Other",
   "ResourceGroup": "compute",
-  "Description": "Ensure there are no EC2 AMIs set as Public.",
-  "Risk": "When your AMIs are publicly accessible, they are available in the Community AMIs where everyone with an AWS account can use them to launch EC2 instances. Your AMIs could contain snapshots of your applications (including their data), therefore exposing your snapshots in this manner is not advised.",
+  "Description": "**EC2 AMIs owned by the account** are evaluated for **public visibility** via their launch permissions. Images shared with all accounts (`Group=all`) are treated as publicly accessible.",
+  "Risk": "Public AMIs expose image contents to any AWS account, undermining **confidentiality** and **integrity**:\n- Leakage of embedded secrets, configs, or data from referenced snapshots\n- Adversaries can fingerprint your stack, aiding targeted exploits or repackaging for supply chain abuse",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cancel-sharing-an-AMI.html",
+    "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html",
+    "https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html",
+    "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws ec2 modify-image-attribute --region <REGION> --image-id <EC2_AMI_ID> --launch-permission {\"Remove\":[{\"Group\":\"all\"}]}",
+      "CLI": "aws ec2 modify-image-attribute --image-id <EC2_AMI_ID> --launch-permission \"Remove=[{Group=all}]\"",
       "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/aws/public-policies/public_8",
+      "Other": "1. Open the Amazon EC2 console and go to AMIs\n2. Select the AMI with Visibility = Public\n3. Click Actions > Edit AMI permissions\n4. Under AMI availability, select Private\n5. Click Save changes",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "We recommend your EC2 AMIs are not publicly accessible, or generally available in the Community AMIs.",
-      "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cancel-sharing-an-AMI.html"
+      "Text": "Keep AMIs **private** and enforce **least privilege** launch permissions. Share only with specific accounts and review access routinely. Enable **block public access for AMIs**, sanitize images to remove secrets, encrypt backing snapshots, and apply lifecycle governance to retire outdated images.",
+      "Url": "https://hub.prowler.com/check/ec2_ami_public"
     }
   },
   "Categories": [

prowler/providers/aws/services/ec2/ec2_client_vpn_endpoint_connection_logging_enabled/ec2_client_vpn_endpoint_connection_logging_enabled.metadata.json

@@ -1,30 +1,41 @@
 {
   "Provider": "aws",
   "CheckID": "ec2_client_vpn_endpoint_connection_logging_enabled",
-  "CheckTitle": "EC2 Client VPN endpoints should have client connection logging enabled.",
-  "CheckType": [],
+  "CheckTitle": "EC2 Client VPN endpoint has client connection logging enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)"
+  ],
   "ServiceName": "ec2",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsEc2ClientVpnEndpoint",
   "ResourceGroup": "network",
-  "Description": "This control checks whether an AWS Client VPN endpoint has client connection logging enabled. The control fails if the endpoint doesn't have client connection logging enabled.",
-  "Risk": "Client VPN endpoints allow remote clients to securely connect to resources in a Virtual Private Cloud (VPC) in AWS. Connection logs allow you to track user activity on the VPN endpoint and provides visibility.",
-  "RelatedUrl": "https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html",
+  "Description": "**AWS Client VPN endpoints** are evaluated for **client connection logging** that records client connect/disconnect events to CloudWatch Logs. The evaluation detects endpoints where this logging is disabled.",
+  "Risk": "Without **Client VPN connection logs**, remote access lacks an **audit trail**, reducing detection and accountability.\n- Stolen credentials can be used unnoticed\n- Lateral movement and data exfiltration persist\nImpacts **confidentiality** and **integrity**; delayed investigation can degrade **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-51",
+    "https://docs.aws.amazon.com/config/latest/developerguide/ec2-client-vpn-connection-log-enabled.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-51",
-      "Terraform": ""
+      "CLI": "aws ec2 modify-client-vpn-endpoint --client-vpn-endpoint-id <CLIENT_VPN_ENDPOINT_ID> --connection-log-options Enabled=true,CloudWatchLogGroup=<CLOUDWATCH_LOG_GROUP_NAME>",
+      "NativeIaC": "```yaml\n# CloudFormation: enable connection logging on a Client VPN endpoint\nResources:\n  <example_resource_name>:\n    Type: AWS::EC2::ClientVpnEndpoint\n    Properties:\n      ClientCidrBlock: 10.0.0.0/22\n      ServerCertificateArn: arn:aws:acm:<REGION>:<ACCOUNT_ID>:certificate/<example_resource_id>\n      AuthenticationOptions:\n        - Type: certificate-authentication\n          MutualAuthentication:\n            ClientRootCertificateChainArn: arn:aws:acm:<REGION>:<ACCOUNT_ID>:certificate/<example_resource_id>\n      ConnectionLogOptions:               # CRITICAL: enables client connection logging\n        Enabled: true                     # CRITICAL: turns on logging\n        CloudWatchLogGroup: <example_resource_name>  # CRITICAL: destination log group\n```",
+      "Other": "1. Open the Amazon VPC console and go to Client VPN Endpoints\n2. Select the endpoint and choose Actions > Modify client VPN endpoint\n3. Under Connection logging, check Enable\n4. For CloudWatch log group, select an existing log group\n5. Click Save changes",
+      "Terraform": "```hcl\n# Terraform: enable connection logging on a Client VPN endpoint\nresource \"aws_ec2_client_vpn_endpoint\" \"<example_resource_name>\" {\n  server_certificate_arn = \"arn:aws:acm:<REGION>:<ACCOUNT_ID>:certificate/<example_resource_id>\"\n  client_cidr_block      = \"10.0.0.0/22\"\n\n  authentication_options {\n    type                       = \"certificate-authentication\"\n    root_certificate_chain_arn = \"arn:aws:acm:<REGION>:<ACCOUNT_ID>:certificate/<example_resource_id>\"\n  }\n\n  connection_log_options {                # CRITICAL: enables client connection logging\n    enabled             = true            # CRITICAL: turns on logging\n    cloudwatch_log_group = \"<example_resource_name>\"  # CRITICAL: destination log group\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "To enable connection logging, see Enable connection logging for an existing Client VPN endpoint in the AWS Client VPN Administrator Guide.",
-      "Url": "https://docs.aws.amazon.com/config/latest/developerguide/ec2-client-vpn-connection-log-enabled.html"
+      "Text": "Enable **client connection logging** on all Client VPN endpoints and send events to a centralized log group.\n- Enforce least privilege on log access\n- Define retention and immutability\n- Integrate with monitoring/alerts\n- Separate VPN operations from log administration\n- Review anomalous login patterns",
+      "Url": "https://hub.prowler.com/check/ec2_client_vpn_endpoint_connection_logging_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption.metadata.json

@@ -1,29 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "ec2_ebs_default_encryption",
-  "CheckTitle": "Check if EBS Default Encryption is activated.",
+  "CheckTitle": "EBS default encryption is enabled",
   "CheckType": [
-    "Data Protection"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "ec2",
-  "SubServiceName": "ebs",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
-  "Severity": "medium",
-  "ResourceType": "Other",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "AwsEc2Volume",
   "ResourceGroup": "compute",
-  "Description": "Check if EBS Default Encryption is activated.",
-  "Risk": "If not enabled sensitive information at rest is not protected.",
+  "Description": "**EBS** uses `encryption by default` at the account and region level, ensuring new volumes, snapshots, and AMI-backed volumes are automatically encrypted with a chosen **KMS key**",
+  "Risk": "Without `encryption by default`, data on new **EBS volumes** and **snapshots** may be stored in plaintext. A compromised account or mis-shared snapshot can expose disk contents, enabling data exfiltration, offline analysis, and loss of **confidentiality**.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://aws.amazon.com/premiumsupport/knowledge-center/ebs-automatic-encryption/",
+    "https://docs.aws.amazon.com/ebs/latest/userguide/encryption-by-default.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EBS/configure-default-encryption.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws ec2 enable-ebs-encryption-by-default",
-      "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/aws/general-policies/ensure-ebs-default-encryption-is-enabled#aws-console",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-ebs-default-encryption-is-enabled#terraform"
+      "CLI": "aws ec2 enable-ebs-encryption-by-default --region <REGION>",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::EC2::EBSEncryptionByDefault\n    Properties:\n      Enabled: true  # Critical: turns on default EBS encryption in this region\n```",
+      "Other": "1. In the AWS console, switch to the affected Region\n2. Go to EC2 > Settings (or Account attributes) > EBS encryption\n3. Click Enable default encryption and Save",
+      "Terraform": "```hcl\nresource \"aws_ebs_encryption_by_default\" \"<example_resource_name>\" {\n  enabled = true  # Critical: enables default EBS encryption in this region\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.",
-      "Url": "https://aws.amazon.com/premiumsupport/knowledge-center/ebs-automatic-encryption/"
+      "Text": "Enable `EBS encryption by default` in every region and select a **customer-managed KMS key**. Apply **least privilege** to key use, rotate keys, and monitor access. Enforce encrypted volume creation with organizational guardrails and secure templates as **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/ec2_ebs_default_encryption"
     }
   },
   "Categories": [

prowler/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot.metadata.json

@@ -1,29 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "ec2_ebs_public_snapshot",
-  "CheckTitle": "Ensure there are no EBS Snapshots set as Public.",
+  "CheckTitle": "EBS snapshot is not public",
   "CheckType": [
-    "Data Protection"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "ec2",
-  "SubServiceName": "snapshot",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
-  "ResourceType": "Other",
+  "ResourceType": "AwsEc2Volume",
   "ResourceGroup": "compute",
-  "Description": "Ensure there are no EBS Snapshots set as Public.",
-  "Risk": "When you share a snapshot, you are giving others access to all of the data on the snapshot. Share snapshots only with people with whom you want to share all of your snapshot data.",
+  "Description": "**EBS snapshots** with **public sharing** permissions (accessible by all AWS accounts) are identified, as opposed to snapshots shared privately with specific accounts.",
+  "Risk": "Public snapshots expose full volume contents, harming **confidentiality**. Any account can create a volume from the snapshot to read files, secrets, or database data, enabling **data exfiltration**, broad reconnaissance, and facilitating **lateral movement**.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EBS/public-snapshots.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws ec2 modify-snapshot-attribute --region <REGION> --snapshot-id <EC2_SNAPSHOT_ID> --attribute createVolumePermission --operation remove --user-ids all",
+      "CLI": "aws ec2 modify-snapshot-attribute --snapshot-id <EC2_SNAPSHOT_ID> --attribute createVolumePermission --operation-type remove --group-names all",
       "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/aws/public-policies/public_7",
+      "Other": "1. Open the AWS Management Console and go to EC2\n2. In the left menu, select Snapshots\n3. Select the snapshot <EC2_SNAPSHOT_ID>\n4. Click Actions > Modify permissions\n5. Choose Private (remove Public/all if present)\n6. Click Save changes",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure the snapshot should be shared.",
-      "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html"
+      "Text": "Keep snapshots **private** and share only with specific accounts under **least privilege**. Enable `Block public access for Amazon EBS snapshots` regionally. Prefer **CMEK encryption** and avoid sharing keys broadly. Regularly review sharing permissions and monitor snapshot usage.",
+      "Url": "https://hub.prowler.com/check/ec2_ebs_public_snapshot"
     }
   },
   "Categories": [

prowler/providers/aws/services/ec2/ec2_ebs_snapshot_account_block_public_access/ec2_ebs_snapshot_account_block_public_access.metadata.json

@@ -1,29 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "ec2_ebs_snapshot_account_block_public_access",
-  "CheckTitle": "Ensure that public access to EBS snapshots is disabled",
+  "CheckTitle": "All EBS snapshots have public access blocked",
   "CheckType": [
-    "Data Protection"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "ec2",
-  "SubServiceName": "snapshot",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "AwsAccount",
-  "ResourceGroup": "governance",
-  "Description": "EBS snapshots can be shared with other AWS accounts or made public. By default, EBS snapshots are private and only the AWS account that created the snapshot can access it. If an EBS snapshot is shared with another AWS account or made public, the data in the snapshot can be accessed by the other account or by anyone on the internet. Ensure that public access to EBS snapshots is disabled.",
-  "Risk": "If public access to EBS snapshots is enabled, the data in the snapshot can be accessed by anyone on the internet.",
-  "RelatedUrl": "https://docs.aws.amazon.com/ebs/latest/userguide/block-public-access-snapshots-work.html#block-public-access-snapshots-enable",
+  "ResourceType": "AwsEc2Volume",
+  "ResourceGroup": "compute",
+  "Description": "**EBS snapshots** account/Region configuration for **Block Public Access** is assessed to see whether public sharing is fully blocked (`block-all-sharing`) versus only new sharing (`block-new-sharing`) or unblocked. The state indicates if any snapshot can be publicly shared.",
+  "Risk": "Without `block-all-sharing`, previously public snapshots can remain accessible, exposing raw disk data.\n\nImpacts:\n- Loss of **confidentiality** (PII, keys, configs)\n- Unauthorized cloning enabling **lateral movement**\n- Cross-account copies create **irreversible data leakage**",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/ebs/latest/userguide/block-public-access-snapshots-work.html#block-public-access-snapshots-enable",
+    "https://docs.aws.amazon.com/ebs/latest/userguide/block-public-access-snapshots.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws ec2 enable-snapshot-block-public-access --state block-all-sharing",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::EC2::SnapshotBlockPublicAccess\n    Properties:\n      State: block-all-sharing  # CRITICAL: Blocks all public sharing of EBS snapshots in this Region to pass the check\n```",
+      "Other": "1. In the AWS console, select the target Region in the top-right.\n2. Go to EC2 > Snapshots.\n3. Click Settings > Block public access for snapshots.\n4. Select Block all sharing.\n5. Click Save changes.",
+      "Terraform": "```hcl\nresource \"aws_ebs_snapshot_block_public_access\" \"<example_resource_name>\" {\n  state = \"block-all-sharing\" # CRITICAL: Blocks all public sharing of EBS snapshots in this Region\n}\n```"
     },
     "Recommendation": {
-      "Text": "Use the following procedures to configure and monitor block public access for snapshots.",
-      "Url": "https://docs.aws.amazon.com/ebs/latest/userguide/block-public-access-snapshots-work.html#block-public-access-snapshots-enable"
+      "Text": "Set **Block Public Access** for EBS snapshots to `block-all-sharing` in all active Regions.\n\nApply **least privilege** and guardrails (SCPs) to prevent changes. Regularly inventory snapshots, remove public sharing, and use segregated accounts with strict reviews for any necessary external sharing.",
+      "Url": "https://hub.prowler.com/check/ec2_ebs_snapshot_account_block_public_access"
     }
   },
   "Categories": [