When to Use

Use this skill when:

Creating a new compliance framework for any provider Adding requirements to existing frameworks Mapping checks to compliance controls Understanding compliance framework structures and attributes Compliance Framework Location

Frameworks are JSON files located in: prowler/compliance/{provider}/{framework_name}_{provider}.json

Supported Providers:

aws - Amazon Web Services azure - Microsoft Azure gcp - Google Cloud Platform kubernetes - Kubernetes github - GitHub m365 - Microsoft 365 alibabacloud - Alibaba Cloud cloudflare - Cloudflare oraclecloud - Oracle Cloud oci - Oracle Cloud Infrastructure nhn - NHN Cloud mongodbatlas - MongoDB Atlas iac - Infrastructure as Code llm - Large Language Models Base Framework Structure

All compliance frameworks share this base structure:

{ "Framework": "FRAMEWORK_NAME", "Name": "Full Framework Name with Version", "Version": "X.X", "Provider": "PROVIDER", "Description": "Framework description...", "Requirements": [ { "Id": "requirement_id", "Description": "Requirement description", "Name": "Optional requirement name", "Attributes": [...], "Checks": ["check_name_1", "check_name_2"] } ] }

Framework-Specific Attribute Structures

Each framework type has its own attribute model. Below are the exact structures used by Prowler:

CIS (Center for Internet Security)

Framework ID format: cis_{version}_{provider} (e.g., cis_5.0_aws)

{ "Id": "1.1", "Description": "Maintain current contact details", "Checks": ["account_maintain_current_contact_details"], "Attributes": [ { "Section": "1 Identity and Access Management", "SubSection": "Optional subsection", "Profile": "Level 1", "AssessmentStatus": "Automated", "Description": "Detailed attribute description", "RationaleStatement": "Why this control matters", "ImpactStatement": "Impact of implementing this control", "RemediationProcedure": "Steps to fix the issue", "AuditProcedure": "Steps to verify compliance", "AdditionalInformation": "Extra notes", "DefaultValue": "Default configuration value", "References": "https://docs.example.com/reference" } ] }

Profile values: Level 1, Level 2, E3 Level 1, E3 Level 2, E5 Level 1, E5 Level 2 AssessmentStatus values: Automated, Manual

ISO 27001

Framework ID format: iso27001_{year}_{provider} (e.g., iso27001_2022_aws)

{ "Id": "A.5.1", "Description": "Policies for information security should be defined...", "Name": "Policies for information security", "Checks": ["securityhub_enabled"], "Attributes": [ { "Category": "A.5 Organizational controls", "Objetive_ID": "A.5.1", "Objetive_Name": "Policies for information security", "Check_Summary": "Summary of what is being checked" } ] }

Note: Objetive_ID and Objetive_Name use this exact spelling (not "Objective").

ENS (Esquema Nacional de Seguridad - Spain)

Framework ID format: ens_rd2022_{provider} (e.g., ens_rd2022_aws)

{ "Id": "op.acc.1.aws.iam.2", "Description": "Proveedor de identidad centralizado", "Checks": ["iam_check_saml_providers_sts"], "Attributes": [ { "IdGrupoControl": "op.acc.1", "Marco": "operacional", "Categoria": "control de acceso", "DescripcionControl": "Detailed control description in Spanish", "Nivel": "alto", "Tipo": "requisito", "Dimensiones": ["trazabilidad", "autenticidad"], "ModoEjecucion": "automatico", "Dependencias": [] } ] }

Nivel values: opcional, bajo, medio, alto Tipo values: refuerzo, requisito, recomendacion, medida Dimensiones values: confidencialidad, integridad, trazabilidad, autenticidad, disponibilidad

MITRE ATT&CK

Framework ID format: mitre_attack_{provider} (e.g., mitre_attack_aws)

MITRE uses a different requirement structure:

{ "Name": "Exploit Public-Facing Application", "Id": "T1190", "Tactics": ["Initial Access"], "SubTechniques": [], "Platforms": ["Containers", "IaaS", "Linux", "Network", "Windows", "macOS"], "Description": "Adversaries may attempt to exploit a weakness...", "TechniqueURL": "https://attack.mitre.org/techniques/T1190/", "Checks": ["guardduty_is_enabled", "inspector2_is_enabled"], "Attributes": [ { "AWSService": "Amazon GuardDuty", "Category": "Detect", "Value": "Minimal", "Comment": "Explanation of how this service helps..." } ] }

For Azure: Use AzureService instead of AWSService For GCP: Use GCPService instead of AWSService Category values: Detect, Protect, Respond Value values: Minimal, Partial, Significant

NIST 800-53

Framework ID format: nist_800_53_revision_{version}_{provider} (e.g., nist_800_53_revision_5_aws)

{ "Id": "ac_2_1", "Name": "AC-2(1) Automated System Account Management", "Description": "Support the management of system accounts...", "Checks": ["iam_password_policy_minimum_length_14"], "Attributes": [ { "ItemId": "ac_2_1", "Section": "Access Control (AC)", "SubSection": "Account Management (AC-2)", "SubGroup": "AC-2(3) Disable Accounts", "Service": "iam" } ] }

Generic Compliance (Fallback)

For frameworks without specific attribute models:

{ "Id": "requirement_id", "Description": "Requirement description", "Name": "Optional name", "Checks": ["check_name"], "Attributes": [ { "ItemId": "item_id", "Section": "Section name", "SubSection": "Subsection name", "SubGroup": "Subgroup name", "Service": "service_name", "Type": "type" } ] }

AWS Well-Architected Framework

Framework ID format: aws_well_architected_framework_{pillar}_pillar_aws

{ "Id": "SEC01-BP01", "Description": "Establish common guardrails...", "Name": "Establish common guardrails", "Checks": ["account_part_of_organizations"], "Attributes": [ { "Name": "Establish common guardrails", "WellArchitectedQuestionId": "securely-operate", "WellArchitectedPracticeId": "sec_securely_operate_multi_accounts", "Section": "Security", "SubSection": "Security foundations", "LevelOfRisk": "High", "AssessmentMethod": "Automated", "Description": "Detailed description", "ImplementationGuidanceUrl": "https://docs.aws.amazon.com/..." } ] }

KISA ISMS-P (Korea)

Framework ID format: kisa_isms_p_{year}_{provider} (e.g., kisa_isms_p_2023_aws)

{ "Id": "1.1.1", "Description": "Requirement description", "Name": "Requirement name", "Checks": ["check_name"], "Attributes": [ { "Domain": "1. Management System", "Subdomain": "1.1 Management System Establishment", "Section": "1.1.1 Section Name", "AuditChecklist": ["Checklist item 1", "Checklist item 2"], "RelatedRegulations": ["Regulation 1"], "AuditEvidence": ["Evidence type 1"], "NonComplianceCases": ["Non-compliance example"] } ] }

C5 (Germany Cloud Computing Compliance Criteria Catalogue)

Framework ID format: c5_{provider} (e.g., c5_aws)

{ "Id": "BCM-01", "Description": "Requirement description", "Name": "Requirement name", "Checks": ["check_name"], "Attributes": [ { "Section": "BCM Business Continuity Management", "SubSection": "BCM-01", "Type": "Basic Criteria", "AboutCriteria": "Description of criteria", "ComplementaryCriteria": "Additional criteria" } ] }

CCC (Cloud Computing Compliance)

Framework ID format: ccc_{provider} (e.g., ccc_aws)

{ "Id": "CCC.C01", "Description": "Requirement description", "Name": "Requirement name", "Checks": ["check_name"], "Attributes": [ { "FamilyName": "Cryptography & Key Management", "FamilyDescription": "Family description", "Section": "CCC.C01", "SubSection": "Key Management", "SubSectionObjective": "Objective description", "Applicability": ["IaaS", "PaaS", "SaaS"], "Recommendation": "Recommended action", "SectionThreatMappings": [{"threat": "T1190"}], "SectionGuidelineMappings": [{"guideline": "NIST"}] } ] }

Prowler ThreatScore

Framework ID format: prowler_threatscore_{provider} (e.g., prowler_threatscore_aws)

Prowler ThreatScore is a custom security scoring framework developed by Prowler that evaluates AWS account security based on four main pillars:

Pillar Description 1. IAM Identity and Access Management controls (authentication, authorization, credentials) 2. Attack Surface Network exposure, public resources, security group rules 3. Logging and Monitoring Audit logging, threat detection, forensic readiness 4. Encryption Data at rest and in transit encryption

Scoring System:

LevelOfRisk (1-5): Severity of the security issue 5 = Critical (e.g., root MFA, public S3 buckets) 4 = High (e.g., user MFA, public EC2) 3 = Medium (e.g., password policies, encryption) 2 = Low 1 = Informational Weight: Impact multiplier for score calculation 1000 = Critical controls (root security, public exposure) 100 = High-impact controls (user authentication, monitoring) 10 = Standard controls (password policies, encryption) 1 = Low-impact controls (best practices) { "Id": "1.1.1", "Description": "Ensure MFA is enabled for the 'root' user account", "Checks": ["iam_root_mfa_enabled"], "Attributes": [ { "Title": "MFA enabled for 'root'", "Section": "1. IAM", "SubSection": "1.1 Authentication", "AttributeDescription": "The root user account holds the highest level of privileges within an AWS account. Enabling MFA enhances security by adding an additional layer of protection.", "AdditionalInformation": "Enabling MFA enhances console security by requiring the authenticating user to both possess a time-sensitive key-generating device and have knowledge of their credentials.", "LevelOfRisk": 5, "Weight": 1000 } ] }

Available for providers: AWS, Kubernetes, M365

Available Compliance Frameworks AWS (41 frameworks) Framework File Name CIS 1.4, 1.5, 2.0, 3.0, 4.0, 5.0 cis_{version}aws.json ISO 27001:2013, 2022 iso27001aws.json NIST 800-53 Rev 4, 5 nist_800_53_revisionaws.json NIST 800-171 Rev 2 nist_800_171_revision_2_aws.json NIST CSF 1.1, 2.0 nist_csfaws.json PCI DSS 3.2.1, 4.0 pciaws.json HIPAA hipaa_aws.json GDPR gdpr_aws.json SOC 2 soc2_aws.json FedRAMP Low/Moderate fedramprevision_4_aws.json ENS RD2022 ens_rd2022_aws.json MITRE ATT&CK mitre_attack_aws.json C5 Germany c5_aws.json CISA cisa_aws.json FFIEC ffiec_aws.json RBI Cyber Security rbi_cyber_security_framework_aws.json AWS Well-Architected aws_well_architected_frameworkpillar_aws.json AWS FTR aws_foundational_technical_review_aws.json GxP 21 CFR Part 11, EU Annex 11 gxpaws.json KISA ISMS-P 2023 kisa_isms_p_2023_aws.json NIS2 nis2_aws.json Azure (15+ frameworks) Framework File Name CIS 2.0, 2.1, 3.0, 4.0 cisazure.json ISO 27001:2022 iso27001_2022_azure.json ENS RD2022 ens_rd2022_azure.json MITRE ATT&CK mitre_attack_azure.json PCI DSS 4.0 pci_4.0_azure.json NIST CSF 2.0 nist_csf_2.0_azure.json GCP (15+ frameworks) Framework File Name CIS 2.0, 3.0, 4.0 cisgcp.json ISO 27001:2022 iso27001_2022_gcp.json HIPAA hipaa_gcp.json MITRE ATT&CK mitre_attack_gcp.json PCI DSS 4.0 pci_4.0_gcp.json NIST CSF 2.0 nist_csf_2.0_gcp.json Kubernetes (6 frameworks) Framework File Name CIS 1.8, 1.10, 1.11 ciskubernetes.json ISO 27001:2022 iso27001_2022_kubernetes.json PCI DSS 4.0 pci_4.0_kubernetes.json Other Providers GitHub: cis_1.0_github.json M365: cis_4.0_m365.json, iso27001_2022_m365.json NHN: iso27001_2022_nhn.json Best Practices Requirement IDs: Follow the original framework numbering exactly (e.g., "1.1", "A.5.1", "T1190", "ac_2_1") Check Mapping: Map to existing checks when possible. Use Checks: [] for manual-only requirements Completeness: Include all framework requirements, even those without automated checks Version Control: Include framework version in Name and Version fields File Naming: Use format {framework}.json Validation: Prowler validates JSON against Pydantic models at startup - invalid JSON will cause errors Commands}_{provider

List available frameworks for a provider

prowler {provider} --list-compliance

Run scan with specific compliance framework

prowler aws --compliance cis_5.0_aws

Run scan with multiple frameworks

prowler aws --compliance cis_5.0_aws pci_4.0_aws

Output compliance report in multiple formats

prowler aws --compliance cis_5.0_aws -M csv json html

Code References Compliance Models: prowler/lib/check/compliance_models.py Compliance Processing: prowler/lib/check/compliance.py Compliance Output: prowler/lib/outputs/compliance/ Resources Templates: See assets/ for framework JSON templates Documentation: See references/compliance-docs.md for additional resources