chore(aws): enhance metadata for eventbridge service (#9003)

Co-authored-by: Sergio Garcia <hello@mistercloudsec.com>

Author: puchy22

prowler/CHANGELOG.md

@@ -71,6 +71,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS CloudFront service metadata to new format [(#8829)](https://github.com/prowler-cloud/prowler/pull/8829)
 - Deprecate user authentication for M365 provider [(#8865)](https://github.com/prowler-cloud/prowler/pull/8865)
 - Update AWS EFS service metadata to new format [(#8889)](https://github.com/prowler-cloud/prowler/pull/8889)
+- Update AWS EventBridge service metadata to new format [(#9003)](https://github.com/prowler-cloud/prowler/pull/9003)
 - Update AWS Firehose service metadata to new format [(#9004)](https://github.com/prowler-cloud/prowler/pull/9004)
 - Update AWS FMS service metadata to new format [(#9005)](https://github.com/prowler-cloud/prowler/pull/9005)
 - Update AWS FSx service metadata to new format [(#9006)](https://github.com/prowler-cloud/prowler/pull/9006)

prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.metadata.json

@@ -1,29 +1,42 @@
 {
   "Provider": "aws",
   "CheckID": "eventbridge_bus_cross_account_access",
-  "CheckTitle": "Ensure that AWS EventBridge event buses do not allow unknown cross-account access for delivery of events.",
-  "CheckType": [],
+  "CheckTitle": "AWS EventBridge event bus does not allow cross-account access",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "TTPs/Initial Access/Unauthorized Access",
+    "Effects/Data Exposure"
+  ],
   "ServiceName": "eventbridge",
-  "SubServiceName": "eventbus",
-  "ResourceIdTemplate": "arn:partition:events:region:account-id:event-bus/resource-id",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsEventsEventbus",
-  "Description": "Ensure that AWS EventBridge event buses do not allow unknown cross-account access for delivery of events.",
-  "Risk": "If an AWS EventBridge event bus allows unknown cross-account access for delivery of events, it can lead to unauthorized access to the event bus and its events.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html",
+  "Description": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.",
+  "Risk": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html",
+    "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html",
+    "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws events remove-permission --event-bus-name <event_bus_name> --statement-id <statement_id>",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: restrict EventBridge event bus to same account only\nResources:\n  <example_resource_name>:\n    Type: AWS::Events::EventBusPolicy\n    Properties:\n      StatementId: <example_resource_id>\n      Action: events:PutEvents\n      Principal: !Ref AWS::AccountId  # Critical: allows only this AWS account, blocking cross-account access\n      EventBusName: <example_resource_name>\n```",
+      "Other": "1. In the AWS Console, go to Amazon EventBridge > Event buses\n2. Select the event bus (<event_bus_name>)\n3. Open the Permissions tab and click Edit\n4. Remove any statements that grant access to other accounts, an organization, or \"*\"\n5. Save changes",
+      "Terraform": "```hcl\n# Terraform: restrict EventBridge event bus to same account only\nresource \"aws_cloudwatch_event_permission\" \"<example_resource_name>\" {\n  statement_id   = \"<example_resource_id>\"\n  action         = \"events:PutEvents\"\n  principal      = \"<example_resource_id>\" # Critical: set to your own AWS account ID to block cross-account access\n  event_bus_name = \"<example_resource_name>\"\n}\n```"
     },
     "Recommendation": {
-      "Text": "To remediate this issue, remove the unknown cross-account access for delivery of events from the AWS EventBridge event bus.",
-      "Url": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html"
+      "Text": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/eventbridge_bus_cross_account_access"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access",
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/eventbridge/eventbridge_bus_exposed/eventbridge_bus_exposed.metadata.json

@@ -1,26 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "eventbridge_bus_exposed",
-  "CheckTitle": "Ensure that your AWS EventBridge event bus is not exposed to everyone",
-  "CheckType": [],
+  "CheckTitle": "AWS EventBridge event bus policy does not allow public access",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "TTPs/Initial Access/Unauthorized Access"
+  ],
   "ServiceName": "eventbridge",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsEventsEventbus",
-  "Description": "Ensure that your AWS EventBridge event bus is not exposed to everyone.",
-  "Risk": "If your AWS EventBridge event bus is exposed to everyone, unauthorized users can access your event bus and potentially view or modify your events.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html",
+  "Description": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.",
+  "Risk": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html",
+    "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html",
+    "https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws events remove-permission --event-bus-name <event_bus_name> --statement-id <statement_id>",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: restrict EventBridge event bus access to a specific account (not public)\nResources:\n  <example_resource_name>:\n    Type: AWS::Events::EventBusPolicy\n    Properties:\n      StatementId: AllowSpecificAccount\n      Action: events:PutEvents\n      Principal: arn:aws:iam::<example_account_id>:root  # CRITICAL: limit access to a specific AWS account to prevent public access\n      # Omitting EventBusName applies this to the default event bus\n```",
+      "Other": "1. Open the AWS Console and go to EventBridge > Event buses\n2. Select the target event bus and open the Permissions tab\n3. Click Edit policy\n4. Remove any statement where Principal is \"*\" or AWS is \"*\"\n5. If needed, add a statement allowing only your trusted account ID as Principal (arn:aws:iam::<ACCOUNT_ID>:root)\n6. Save changes",
+      "Terraform": "```hcl\nresource \"aws_cloudwatch_event_bus_policy\" \"<example_resource_name>\" {\n  # CRITICAL: Principal is a specific AWS account, not \"*\", preventing public access\n  policy = <<POLICY\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [{\n    \"Sid\": \"AllowSpecificAccount\",\n    \"Effect\": \"Allow\",\n    \"Principal\": {\"AWS\": \"arn:aws:iam::<example_account_id>:root\"},\n    \"Action\": \"events:PutEvents\",\n    \"Resource\": \"arn:aws:events:<example_region>:<example_account_id>:event-bus/default\"\n  }]\n}\nPOLICY\n}\n```"
     },
     "Recommendation": {
-      "Text": "To restrict access to your AWS EventBridge event bus, remove the permission that allows everyone to access it.",
-      "Url": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html"
+      "Text": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.",
+      "Url": "https://hub.prowler.com/check/eventbridge_bus_exposed"
     }
   },
   "Categories": [

prowler/providers/aws/services/eventbridge/eventbridge_global_endpoint_event_replication_enabled/eventbridge_global_endpoint_event_replication_enabled.metadata.json

@@ -1,32 +1,43 @@
 {
   "Provider": "aws",
   "CheckID": "eventbridge_global_endpoint_event_replication_enabled",
-  "CheckTitle": "Check if EventBridge global endpoints have event replication enabled.",
+  "CheckTitle": "EventBridge global endpoint has event replication enabled",
   "CheckType": [
-    "Software and Configuration Checks/Vulnerabilities"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "eventbridge",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:events:{region}:{account-id}:endpoint/{endpoint-id}",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsEventsEndpoint",
-  "Description": "Check if event replication is enabled for an Amazon EventBridge global endpoint. The control fails if event replication isn't enabled.",
-  "Risk": "Without event replication, automatic failover in case of Regional failure may not work as expected, increasing the risk of service disruption.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/global-endpoint-event-replication-enabled.html",
+  "Description": "**EventBridge global endpoints** are configured with **event replication** `ENABLED` (not `DISABLED`) so custom events are replicated to both the primary and secondary Regions.",
+  "Risk": "**No event replication** degrades **availability** and increases **RPO** during Regional outages.\n- Events can be lost or delayed if the primary Region fails\n- Automatic recovery to the primary may not occur, prolonging failover\n- Cross-Region inconsistency can affect data integrity",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/eventbridge-controls.html#eventbridge-4",
+    "https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-global-endpoints.html",
+    "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Endpoint.html",
+    "https://docs.aws.amazon.com/config/latest/developerguide/global-endpoint-event-replication-enabled.html",
+    "https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-ge-create-endpoint.html",
+    "https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-ge-best-practices.html",
+    "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_CreateEndpoint.html",
+    "https://aws.amazon.com/blogs/compute/introducing-global-endpoints-for-amazon-eventbridge/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws events update-endpoint --name <endpoint-name> --event-replication-enabled",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/eventbridge-controls.html#eventbridge-4",
-      "Terraform": ""
+      "CLI": "aws events update-endpoint --name <endpoint-name> --replication-config State=ENABLED --role-arn <role-arn>",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable event replication on an EventBridge global endpoint\nResources:\n  Endpoint:\n    Type: AWS::Events::Endpoint\n    Properties:\n      Name: <example_resource_name>\n      EventBuses:\n        - EventBusArn: arn:aws:events:us-east-1:<example_resource_id>:event-bus/<example_resource_name>\n        - EventBusArn: arn:aws:events:us-west-2:<example_resource_id>:event-bus/<example_resource_name>\n      RoutingConfig:\n        FailoverConfig:\n          Primary:\n            HealthCheck: arn:aws:route53:::healthcheck/<example_resource_id>\n          Secondary:\n            Route: us-west-2\n      ReplicationConfig:\n        State: ENABLED  # Critical: enables event replication\n      RoleArn: arn:aws:iam::<example_resource_id>:role/<example_resource_name>  # Critical: role used by replication\n```",
+      "Other": "1. In the AWS Console, open Amazon EventBridge and go to Global endpoints\n2. Select the endpoint and choose Edit\n3. Under Event replication, check Event replication enabled\n4. For Execution role, select an existing role or create a new one\n5. Save changes",
+      "Terraform": "```hcl\n# Terraform (awscc): Enable event replication on an EventBridge global endpoint\nresource \"awscc_events_endpoint\" \"example\" {\n  name = \"<example_resource_name>\"\n\n  event_buses = [\n    { event_bus_arn = \"arn:aws:events:us-east-1:<example_resource_id>:event-bus/<example_resource_name>\" },\n    { event_bus_arn = \"arn:aws:events:us-west-2:<example_resource_id>:event-bus/<example_resource_name>\" }\n  ]\n\n  routing_config = {\n    failover_config = {\n      primary   = { health_check = \"arn:aws:route53:::healthcheck/<example_resource_id>\" }\n      secondary = { route        = \"us-west-2\" }\n    }\n  }\n\n  replication_config = { state = \"ENABLED\" }  # Critical: enables event replication\n  role_arn           = \"arn:aws:iam::<example_resource_id>:role/<example_resource_name>\"  # Critical: role used by replication\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable event replication for your EventBridge global endpoints to ensure failover and regional fault tolerance.",
-      "Url": "https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-global-endpoints.html"
+      "Text": "Turn on **event replication** for global endpoints to ensure Regional resilience. Keep event buses, rules, and targets aligned across Regions. Use a dedicated IAM role with **least privilege** for replication. Design consumers for **idempotency** with unique IDs. Regularly test failover and monitor health as part of **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/eventbridge_global_endpoint_event_replication_enabled"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],