Skip to main content
Several Prowler’s checks have user configurable variables that can be modified in a common configuration file. This file can be found in the following path:
prowler/config/config.yaml
Additionally, you can input a custom configuration file using the --config-file argument.
Numeric thresholds enforce hard limits. A value outside the accepted range is dropped with a warning and the check falls back to its built-in default. See Configuration Value Limits for the exact range of every bounded option (max-days caps, percentages, counts, etc.).

AWS

Configurable Checks

The following list includes all the AWS checks with configurable variables that can be changed in the configuration yaml file:
Check NameValueType
acm_certificates_expiration_checkdays_to_expire_thresholdInteger
acmpca_certificate_authority_pqc_key_algorithmacmpca_pqc_key_algorithmsList of Strings
apigateway_restapi_no_secrets_in_stage_variablessecrets_ignore_patternsList of Strings
appstream_fleet_maximum_session_durationmax_session_duration_secondsInteger
appstream_fleet_session_disconnect_timeoutmax_disconnect_timeout_in_secondsInteger
appstream_fleet_session_idle_disconnect_timeoutmax_idle_disconnect_timeout_in_secondsInteger
autoscaling_find_secrets_ec2_launch_configurationsecrets_ignore_patternsList of Strings
awslambda_function_no_secrets_in_codesecrets_ignore_patternsList of Strings
awslambda_function_no_secrets_in_variablessecrets_ignore_patternsList of Strings
awslambda_function_using_supported_runtimesobsolete_lambda_runtimesInteger
awslambda_function_vpc_is_in_multi_azslambda_min_azsInteger
cloudformation_stack_outputs_find_secretssecrets_ignore_patternsList of Strings
cloudtrail_threat_detection_enumerationthreat_detection_enumeration_actionsList of Strings
cloudtrail_threat_detection_enumerationthreat_detection_enumeration_entropyInteger
cloudtrail_threat_detection_enumerationthreat_detection_enumeration_minutesInteger
cloudtrail_threat_detection_privilege_escalationthreat_detection_privilege_escalation_actionsList of Strings
cloudtrail_threat_detection_privilege_escalationthreat_detection_privilege_escalation_entropyInteger
cloudtrail_threat_detection_privilege_escalationthreat_detection_privilege_escalation_minutesInteger
cloudwatch_log_group_no_secrets_in_logssecrets_ignore_patternsList of Strings
cloudwatch_log_group_retention_policy_specific_days_enabledlog_group_retention_daysInteger
codebuild_github_allowed_organizationsgithub_allowed_organizationsList of Strings
codebuild_project_no_secrets_in_variablesexcluded_sensitive_environment_variablesList of Strings
codebuild_project_no_secrets_in_variablessecrets_ignore_patternsList of Strings
config_recorder_all_regions_enabledmute_non_default_regionsBoolean
drs_job_existmute_non_default_regionsBoolean
ec2_elastic_ip_shodanshodan_api_keyString
ec2_instance_older_than_specific_daysmax_ec2_instance_age_in_daysInteger
ec2_instance_secrets_user_datasecrets_ignore_patternsList of Strings
ec2_launch_template_no_secretssecrets_ignore_patternsList of Strings
ec2_securitygroup_allow_ingress_from_internet_to_any_portec2_allowed_instance_ownersList of Strings
ec2_securitygroup_allow_ingress_from_internet_to_any_portec2_allowed_interface_typesList of Strings
ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_portsec2_high_risk_portsList of Integer
ec2_securitygroup_with_many_ingress_egress_rulesmax_security_group_rulesInteger
ecs_task_definitions_no_environment_secretssecrets_ignore_patternsList of Strings
ecr_repositories_scan_vulnerabilities_in_latest_imageecr_repository_vulnerability_minimum_severityString
eks_cluster_uses_a_supported_versioneks_cluster_oldest_version_supportedString
eks_control_plane_logging_all_types_enabledeks_required_log_typesList of Strings
elasticache_redis_cluster_backup_enabledminimum_snapshot_retention_periodInteger
elb_is_in_multiple_azelb_min_azsInteger
elbv2_is_in_multiple_azelbv2_min_azsInteger
rolesanywhere_trust_anchor_pqc_pkirolesanywhere_pqc_pca_key_algorithmsList of Strings
cloudfront_distributions_pqc_tls_enabledcloudfront_pqc_min_protocol_versionsList of Strings
apigateway_domain_name_pqc_tls_enabledapigateway_pqc_tls_allowed_policiesList of Strings
guardduty_is_enabledmute_non_default_regionsBoolean
iam_user_access_not_stale_to_sagemakermax_unused_sagemaker_access_daysInteger
iam_user_accesskey_unusedmax_unused_access_keys_daysInteger
iam_user_console_access_unusedmax_console_access_daysInteger
organizations_delegated_administratorsorganizations_trusted_delegated_administratorsList of Strings
organizations_scp_check_deny_regionsorganizations_enabled_regionsList of Strings
rds_instance_backup_enabledcheck_rds_instance_replicasBoolean
securityhub_enabledmute_non_default_regionsBoolean
secretsmanager_secret_unusedmax_days_secret_unusedInteger
secretsmanager_secret_rotated_periodicallymax_days_secret_unrotatedInteger
ssm_document_secretssecrets_ignore_patternsList of Strings
trustedadvisor_premium_support_plan_subscribedverify_premium_support_plansBoolean
transfer_server_pqc_ssh_kex_enabledtransfer_pqc_ssh_allowed_policiesList of Strings
dynamodb_table_cross_account_accesstrusted_account_idsList of Strings
eventbridge_bus_cross_account_accesstrusted_account_idsList of Strings
eventbridge_schema_registry_cross_account_accesstrusted_account_idsList of Strings
s3_bucket_cross_account_accesstrusted_account_idsList of Strings
ssm_documents_set_as_publictrusted_account_idsList of Strings
vpc_endpoint_connections_trust_boundariestrusted_account_idsList of Strings
vpc_endpoint_services_allowed_principals_trust_boundariestrusted_account_idsList of Strings
opensearch_service_domains_not_publicly_accessibletrusted_ipsList of Strings

Resource Scan Limit

Some AWS services accumulate large numbers of resources (EBS snapshots, backup recovery points, CloudWatch log groups, Lambda functions, ECS task definitions, and CodeArtifact packages). Scanning every resource increases scan time, cost, API throttling, and finding volume. By default, Prowler scans every resource. Configure a positive resource scan limit to cap how many resources Prowler analyzes for these high-volume AWS resource paths. The global default applies to the supported resources below and is overridable per resource. The default global value is 0, which disables the limit and scans every resource. A global null value is also unlimited. For per-resource values, null means inherit the global default; set 0 or a negative value to disable that resource limit explicitly. Positive values enable limits.
When positive resource scan limits are configured, compliance results are based only on the selected resources, not on the full set of matching resources in the account. Treat compliance summaries and percentages as partial evidence, because unselected resources are not analyzed and can change the real compliance posture.

Global Behavior

Resource scan limits select resources for analysis. They do not cap, prioritize, or reorder findings.
  • 0, negative, or global null values: Disable the limit and keep the legacy behavior for that resource path. Prowler analyzes every discovered matching resource.
  • Positive values: Select at most that many resources for the affected resource path. A selected resource can produce zero, one, or many findings.
  • No PASS/FAIL prioritization: Prowler does not inspect the compliance result before selecting resources. Limits do not prefer failed resources, passed resources, or resources with more findings.
  • Latest-first where possible: When AWS exposes timestamps or useful ordering, Prowler selects the newest resources first. When AWS only exposes API order, Prowler preserves that API order and documents the behavior as best effort.
  • Findings are downstream: Checks only evaluate the resources exposed by the service client after selection. Findings from unselected resources are not produced because those resources are not analyzed.
Exact list API call reduction depends on each AWS API’s ordering and pagination capabilities. When Prowler must enumerate candidates locally to select the latest resources, list calls may still read candidates, but expensive per-resource enrichment calls are bounded to the selected resources for the supported paths below.

Full Collections Versus Limited Analysis Sets

Some checks need lightweight evidence from a complete resource collection to avoid incorrect cross-service conclusions, while other checks perform primary analysis on a limited resource set. Prowler keeps full lightweight collections where they are needed for cross-service evidence. For example:
  • Lambda security groups and regions: Prowler records security groups used by all discovered Lambda functions and the regions where functions exist before it limits Lambda functions for primary Lambda checks. This helps Amazon EC2 and Amazon Inspector checks avoid false positives such as treating Lambda security groups as unused or assuming a region has no Lambda functions.
  • CloudWatch all_log_groups: Prowler records all discovered CloudWatch log groups in all_log_groups before limiting the primary log_groups analysis set. Other services can still resolve log group evidence, while CloudWatch log group checks only analyze the selected log groups.
This split is intentional. It reduces expensive per-resource analysis calls without discarding lightweight context that other services need for accurate results.

Supported AWS Resource Limits

ValueScopeType
max_scanned_resources_per_serviceGlobal default for all supported high-volume AWS resources (default 0, disabled/unlimited)Integer
max_ebs_snapshotsEBS snapshots (ec2_ebs_* checks)Integer
max_backup_recovery_pointsBackup recovery points (backup_recovery_point_*)Integer
max_cloudwatch_log_groupsCloudWatch log groups (cloudwatch_log_group_*)Integer
max_lambda_functionsLambda functions (awslambda_function_*)Integer
max_ecs_task_definitionsECS task definitions (ecs_task_definitions_*)Integer
max_codeartifact_packagesCodeArtifact packages (codeartifact_packages_*)Integer

Resource Limit Behavior By Resource Path

Resource PathWhat Prowler DiscoversWhat A Positive Limit Selects For AnalysisOrdering And Latest BehaviorAWS Calls ReducedDrawbacks And Consequences
EBS snapshots (max_ebs_snapshots)Prowler lists self-owned snapshots and keeps lightweight evidence that volumes and regions have snapshots.The selected EBS snapshots exposed to ec2_ebs_* checks.Prowler sorts discovered snapshots by StartTime newest first, then applies the limit. Snapshots without a timestamp sort last.Bounds expensive per-snapshot public attribute checks to selected snapshots. Snapshot listing still runs so Prowler can choose the newest snapshots and keep volume/region evidence.Older unselected snapshots are not analyzed by snapshot checks. A public, unencrypted, or otherwise noncompliant older snapshot can be missed when the limit is lower than the number of snapshots.
Backup recovery points (max_backup_recovery_points)Prowler lists backup vaults, plans, selections, and recovery point candidates in discovered vaults.The selected recovery points exposed to backup_recovery_point_* checks and tag hydration.Prowler sorts discovered recovery points by CreationDate newest first across vaults, then applies the limit. Recovery points without a timestamp sort last.Bounds recovery point tag calls to selected recovery points. Vault and recovery point list calls still run so Prowler can choose the newest points.Older unselected recovery points are not analyzed. A nonencrypted or otherwise noncompliant older recovery point can be missed.
CloudWatch log groups (max_cloudwatch_log_groups)Prowler lists log groups into both all_log_groups and the primary log_groups collection. all_log_groups remains available as lightweight cross-service evidence.The selected log groups exposed to cloudwatch_log_group_* checks, tag hydration, and log event retrieval for checks that need log contents.Prowler sorts discovered log groups by creationTime newest first, then applies the limit. Log groups without a creation time sort last.Bounds tag calls and log event retrieval to selected log groups. Log group listing still runs to build all_log_groups and choose newest log groups.Older unselected log groups are not analyzed by CloudWatch log group checks. Retention, encryption, or secrets-in-logs issues in older log groups can be missed, although cross-service evidence can still use all_log_groups.
Lambda functions (max_lambda_functions)Prowler lists Lambda functions and records lightweight security group and region evidence for all discovered functions.The selected Lambda functions exposed to awslambda_function_* checks and per-function enrichment such as tags, policies, function URLs, and event source mappings.Prowler sorts discovered functions by LastModified newest first, then applies the limit. Functions without LastModified sort last.Bounds per-function enrichment calls to selected functions. Function listing still runs to choose newest functions and keep security group/region evidence.Older unselected functions are not analyzed by Lambda checks. Runtime, policy, URL, environment secret, or dead-letter queue issues in older functions can be missed. Cross-service checks can still use full Lambda security group and region evidence to avoid false positives.
ECS task definitions (max_ecs_task_definitions)Prowler lists ECS task definition ARN candidates in each region. Candidate ARNs can remain visible and discoverable through AWS list operations, even when not all are described.The selected task definitions that Prowler describes and exposes to ecs_task_definitions_* checks.Selection is not random. Prowler calls ListTaskDefinitions with sort=DESC, which asks AWS to return task definition ARNs in descending family and revision order. Prowler then interleaves regional candidate lists to avoid starving later regions before applying the limit. This selects the latest task definition revisions according to the ARN order AWS provides, while preserving regional fairness.Bounds DescribeTaskDefinition calls to selected task definitions. Prowler may still list candidates so it can select the bounded set and keep discovery deterministic.Unselected task definitions are not described or analyzed. Issues in older task definition revisions, or in lower-priority families outside the selected AWS sort=DESC order, can be missed. Because ECS ordering is family/revision based rather than a registration timestamp sort across every family, this is latest-first according to AWS task definition ARN ordering, not a global newest-by-time guarantee.
CodeArtifact packages (max_codeartifact_packages)Prowler lists CodeArtifact repositories and lazily lists packages inside them.The selected packages exposed to codeartifact_packages_* checks, including latest-version metadata for those packages.AWS ListPackages does not provide a newest-package timestamp ordering in this path. Prowler preserves repository order and package API order, then applies the limit. Latest package version metadata is retrieved for selected packages with sortBy=PUBLISHED_TIME and maxResults=1.Bounds ListPackageVersions calls to selected packages and can stop package listing once the limit is reached. Repository listing still runs.Package selection is best effort by API order, not newest package order. Packages outside the selected repository/API order are not analyzed, so origin restriction or latest-version issues can be missed.
Use limits when scan duration, API throttling, or cost are more important than exhaustive coverage for these high-volume resources. Keep limits disabled when you need complete evidence for every resource in the affected checks.

Validating Discovered Secrets

By default, the secret-scanning checks run fully offline: secrets are detected but never sent anywhere. Setting secrets_validate to True additionally confirms whether each discovered secret is live by authenticating with it against the corresponding provider API. The discovered secret itself serves as the credential, so Prowler requires no additional permissions to validate it. secrets_validate applies to every AWS secret-scanning check listed above (those that accept secrets_ignore_patterns). The --scan-secrets-validate CLI flag is provider-wide: it also enables validation for the secret-scanning checks of other providers, such as the OpenStack metadata checks. To enable validation through the configuration file, set the value under the aws section:
aws:
  secrets_validate: True
To enable validation for a single scan (any provider), use Prowler CLI:
prowler aws --scan-secrets-validate
Secret validation makes outbound network calls that authenticate with each discovered secret. The credential is exercised against the provider, so the call appears in the audited account’s logs and can trigger its monitoring (for example, AWS CloudTrail records the validation request). Validation stays disabled by default so that scans remain fully offline.

Azure

Configurable Checks

The following list includes all the Azure checks with configurable variables that can be changed in the configuration yaml file:
Check NameValueType
network_public_ip_shodanshodan_api_keyString
app_ensure_php_version_is_latestphp_latest_versionString
app_ensure_python_version_is_latestpython_latest_versionString
app_ensure_java_version_is_latestjava_latest_versionString
sqlserver_recommended_minimal_tls_versionrecommended_minimal_tls_versionsList of Strings
vm_sufficient_daily_backup_retention_periodvm_backup_min_daily_retention_daysInteger
vm_desired_sku_sizedesired_vm_sku_sizesList of Strings
storage_smb_channel_encryption_with_secure_algorithmrecommended_smb_channel_encryption_algorithmsList of Strings
defender_attack_path_notifications_properly_configureddefender_attack_path_minimal_risk_levelString
apim_threat_detection_llm_jackingapim_threat_detection_llm_jacking_thresholdFloat
apim_threat_detection_llm_jackingapim_threat_detection_llm_jacking_minutesInteger
apim_threat_detection_llm_jackingapim_threat_detection_llm_jacking_actionsList of Strings

GCP

Configurable Checks

The following list includes all the GCP checks with configurable variables that can be changed in the configuration yaml file:
Check NameValueType
compute_configuration_changescompute_audit_log_lookback_daysInteger
compute_instance_group_multiple_zonesmig_min_zonesInteger

Kubernetes

Configurable Checks

The following list includes all the Kubernetes checks with configurable variables that can be changed in the configuration yaml file:
Check NameValueType
audit_log_maxbackupaudit_log_maxbackupString
audit_log_maxsizeaudit_log_maxsizeString
audit_log_maxageaudit_log_maxageString
apiserver_strong_ciphersapiserver_strong_ciphersString
kubelet_strong_ciphers_onlykubelet_strong_ciphersString

M365

Configurable Checks

The following list includes all the Microsoft 365 checks with configurable variables that can be changed in the configuration yaml file:
Check NameValueType
entra_admin_users_sign_in_frequency_enabledsign_in_frequencyInteger
teams_external_file_sharing_restrictedallowed_cloud_storage_servicesList of Strings
exchange_organization_mailtips_enabledrecommended_mailtips_large_audience_thresholdInteger

GitHub

Configurable Checks

The following list includes all the GitHub checks with configurable variables that can be changed in the configuration yaml file:
Check NameValueType
repository_inactive_not_archivedinactive_not_archived_days_thresholdInteger

Vercel

Configurable Checks

The following list includes all the Vercel checks with configurable variables that can be changed in the configuration YAML file:
Check NameValueType
authentication_no_stale_tokensstale_token_threshold_daysInteger
authentication_token_not_expireddays_to_expire_thresholdInteger
deployment_production_uses_stable_targetstable_branchesList of Strings
domain_ssl_certificate_validdays_to_expire_thresholdInteger
project_environment_no_secrets_in_plain_typesecret_suffixesList of Strings
team_member_role_least_privilegemax_owner_percentageInteger
team_member_role_least_privilegemax_ownersInteger
team_no_stale_invitationsstale_invitation_threshold_daysInteger

Okta

Configurable Checks

The following list includes all the Okta checks with configurable variables that can be changed in the configuration YAML file:
Check NameValueType
application_admin_console_session_idle_timeout_15minokta_admin_console_idle_timeout_max_minutesInteger
signon_global_session_idle_timeout_15minokta_max_session_idle_minutesInteger

Config YAML File Structure

This is the new Prowler configuration file format. The old one without provider keys is still compatible just for the AWS provider.
config.yaml
# AWS Configuration
aws:
  # AWS Global Configuration
  # aws.mute_non_default_regions --> Set to True to muted failed findings in non-default regions for AccessAnalyzer, GuardDuty, SecurityHub, DRS and Config
  mute_non_default_regions: False

  # AWS Resource Scan Limit Configuration
  # Disabled by default: scan every resource unless a positive limit is configured.
  # Findings are not capped. Set to 0 (or a negative value) to disable the limit.
  # aws.max_scanned_resources_per_service --> global default for all services below
  max_scanned_resources_per_service: 0
  # Per-service overrides. Leave as null to fall back to the global default.
  max_ebs_snapshots: null
  max_backup_recovery_points: null
  max_cloudwatch_log_groups: null
  max_lambda_functions: null
  max_ecs_task_definitions: null
  max_codeartifact_packages: null
  # If you want to mute failed findings only in specific regions, create a file with the following syntax and run it with `prowler aws -w mutelist.yaml`:
  # Mutelist:
  #  Accounts:
  #   "*":
  #     Checks:
  #       "*":
  #         Regions:
  #           - "ap-southeast-1"
  #           - "ap-southeast-2"
  #         Resources:
  #           - "*"

  # AWS IAM Configuration
  # aws.iam_user_accesskey_unused --> CIS recommends 45 days
  max_unused_access_keys_days: 45
  # aws.iam_user_console_access_unused --> CIS recommends 45 days
  max_console_access_days: 45
  # aws.iam_user_access_not_stale_to_sagemaker --> default 90 days
  max_unused_sagemaker_access_days: 90

  # AWS EC2 Configuration
  # aws.ec2_elastic_ip_shodan
  # TODO: create common config
  shodan_api_key: null
  # aws.ec2_securitygroup_with_many_ingress_egress_rules --> by default is 50 rules
  max_security_group_rules: 50
  # aws.ec2_instance_older_than_specific_days --> by default is 6 months (180 days)
  max_ec2_instance_age_in_days: 180
  # aws.ec2_securitygroup_allow_ingress_from_internet_to_any_port
  # allowed network interface types for security groups open to the Internet
  ec2_allowed_interface_types:
    [
        "api_gateway_managed",
        "vpc_endpoint",
    ]
  # allowed network interface owners for security groups open to the Internet
  ec2_allowed_instance_owners:
    [
        "amazon-elb"
    ]
  # aws.ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports
  ec2_high_risk_ports:
    [
        25,
        110,
        135,
        143,
        445,
        3000,
        4333,
        5000,
        5500,
        8080,
        8088,
    ]

  # AWS VPC Configuration (vpc_endpoint_connections_trust_boundaries, vpc_endpoint_services_allowed_principals_trust_boundaries)
  # AWS SSM Configuration (ssm_documents_set_as_public)
  # AWS S3 Configuration (s3_bucket_cross_account_access)
  # AWS EventBridge Configuration (eventbridge_schema_registry_cross_account_access, eventbridge_bus_cross_account_access)
  # AWS DynamoDB Configuration (dynamodb_table_cross_account_access)
  # Single account environment: No action required. The AWS account number will be automatically added by the checks.
  # Multi account environment: Any additional trusted account number should be added as a space separated list, e.g.
  # trusted_account_ids : ["123456789012", "098765432109", "678901234567"]
  trusted_account_ids: []

  # AWS Cloudwatch Configuration
  # aws.cloudwatch_log_group_retention_policy_specific_days_enabled --> by default is 365 days
  log_group_retention_days: 365

  # AWS AppStream Session Configuration
  # aws.appstream_fleet_session_idle_disconnect_timeout
  max_idle_disconnect_timeout_in_seconds: 600 # 10 Minutes
  # aws.appstream_fleet_session_disconnect_timeout
  max_disconnect_timeout_in_seconds: 300 # 5 Minutes
  # aws.appstream_fleet_maximum_session_duration
  max_session_duration_seconds: 36000 # 10 Hours

  # AWS Lambda Configuration
  # aws.awslambda_function_using_supported_runtimes
  obsolete_lambda_runtimes:
    [
      "java8",
      "go1.x",
      "provided",
      "python3.6",
      "python2.7",
      "python3.7",
      "nodejs4.3",
      "nodejs4.3-edge",
      "nodejs6.10",
      "nodejs",
      "nodejs8.10",
      "nodejs10.x",
      "nodejs12.x",
      "nodejs14.x",
      "dotnet5.0",
      "dotnetcore1.0",
      "dotnetcore2.0",
      "dotnetcore2.1",
      "dotnetcore3.1",
      "ruby2.5",
      "ruby2.7",
    ]

  # AWS Organizations
  # aws.organizations_scp_check_deny_regions
  # aws.organizations_enabled_regions: [
  #   "eu-central-1",
  #   "eu-west-1",
  #   "us-east-1"
  # ]
  organizations_enabled_regions: []
  organizations_trusted_delegated_administrators: []

  # AWS ECR
  # aws.ecr_repositories_scan_vulnerabilities_in_latest_image
  # CRITICAL
  # HIGH
  # MEDIUM
  ecr_repository_vulnerability_minimum_severity: "MEDIUM"

  # AWS Trusted Advisor
  # aws.trustedadvisor_premium_support_plan_subscribed
  verify_premium_support_plans: True

  # AWS CloudTrail Configuration
  # aws.cloudtrail_threat_detection_privilege_escalation
  threat_detection_privilege_escalation_threshold: 0.2 # Percentage of actions found to decide if it is an privilege_escalation attack event, by default is 0.2 (20%)
  threat_detection_privilege_escalation_minutes: 1440 # Past minutes to search from now for privilege_escalation attacks, by default is 1440 minutes (24 hours)
  threat_detection_privilege_escalation_actions:
    [
      "AddPermission",
      "AddRoleToInstanceProfile",
      "AddUserToGroup",
      "AssociateAccessPolicy",
      "AssumeRole",
      "AttachGroupPolicy",
      "AttachRolePolicy",
      "AttachUserPolicy",
      "ChangePassword",
      "CreateAccessEntry",
      "CreateAccessKey",
      "CreateDevEndpoint",
      "CreateEventSourceMapping",
      "CreateFunction",
      "CreateGroup",
      "CreateJob",
      "CreateKeyPair",
      "CreateLoginProfile",
      "CreatePipeline",
      "CreatePolicyVersion",
      "CreateRole",
      "CreateStack",
      "DeleteRolePermissionsBoundary",
      "DeleteRolePolicy",
      "DeleteUserPermissionsBoundary",
      "DeleteUserPolicy",
      "DetachRolePolicy",
      "DetachUserPolicy",
      "GetCredentialsForIdentity",
      "GetId",
      "GetPolicyVersion",
      "GetUserPolicy",
      "Invoke",
      "ModifyInstanceAttribute",
      "PassRole",
      "PutGroupPolicy",
      "PutPipelineDefinition",
      "PutRolePermissionsBoundary",
      "PutRolePolicy",
      "PutUserPermissionsBoundary",
      "PutUserPolicy",
      "ReplaceIamInstanceProfileAssociation",
      "RunInstances",
      "SetDefaultPolicyVersion",
      "UpdateAccessKey",
      "UpdateAssumeRolePolicy",
      "UpdateDevEndpoint",
      "UpdateEventSourceMapping",
      "UpdateFunctionCode",
      "UpdateJob",
      "UpdateLoginProfile",
    ]
  # aws.cloudtrail_threat_detection_enumeration
  threat_detection_enumeration_threshold: 0.3 # Percentage of actions found to decide if it is an enumeration attack event, by default is 0.3 (30%)
  threat_detection_enumeration_minutes: 1440 # Past minutes to search from now for enumeration attacks, by default is 1440 minutes (24 hours)
  threat_detection_enumeration_actions:
    [
      "DescribeAccessEntry",
      "DescribeAccountAttributes",
      "DescribeAvailabilityZones",
      "DescribeBundleTasks",
      "DescribeCarrierGateways",
      "DescribeClientVpnRoutes",
      "DescribeCluster",
      "DescribeDhcpOptions",
      "DescribeFlowLogs",
      "DescribeImages",
      "DescribeInstanceAttribute",
      "DescribeInstanceInformation",
      "DescribeInstanceTypes",
      "DescribeInstances",
      "DescribeInstances",
      "DescribeKeyPairs",
      "DescribeLogGroups",
      "DescribeLogStreams",
      "DescribeOrganization",
      "DescribeRegions",
      "DescribeSecurityGroups",
      "DescribeSnapshotAttribute",
      "DescribeSnapshotTierStatus",
      "DescribeSubscriptionFilters",
      "DescribeTransitGatewayMulticastDomains",
      "DescribeVolumes",
      "DescribeVolumesModifications",
      "DescribeVpcEndpointConnectionNotifications",
      "DescribeVpcs",
      "GetAccount",
      "GetAccountAuthorizationDetails",
      "GetAccountSendingEnabled",
      "GetBucketAcl",
      "GetBucketLogging",
      "GetBucketPolicy",
      "GetBucketReplication",
      "GetBucketVersioning",
      "GetCallerIdentity",
      "GetCertificate",
      "GetConsoleScreenshot",
      "GetCostAndUsage",
      "GetDetector",
      "GetEbsDefaultKmsKeyId",
      "GetEbsEncryptionByDefault",
      "GetFindings",
      "GetFlowLogsIntegrationTemplate",
      "GetIdentityVerificationAttributes",
      "GetInstances",
      "GetIntrospectionSchema",
      "GetLaunchTemplateData",
      "GetLaunchTemplateData",
      "GetLogRecord",
      "GetParameters",
      "GetPolicyVersion",
      "GetPublicAccessBlock",
      "GetQueryResults",
      "GetRegions",
      "GetSMSAttributes",
      "GetSMSSandboxAccountStatus",
      "GetSendQuota",
      "GetTransitGatewayRouteTableAssociations",
      "GetUserPolicy",
      "HeadObject",
      "ListAccessKeys",
      "ListAccounts",
      "ListAllMyBuckets",
      "ListAssociatedAccessPolicies",
      "ListAttachedUserPolicies",
      "ListClusters",
      "ListDetectors",
      "ListDomains",
      "ListFindings",
      "ListHostedZones",
      "ListIPSets",
      "ListIdentities",
      "ListInstanceProfiles",
      "ListObjects",
      "ListOrganizationalUnitsForParent",
      "ListOriginationNumbers",
      "ListPolicyVersions",
      "ListRoles",
      "ListRoles",
      "ListRules",
      "ListServiceQuotas",
      "ListSubscriptions",
      "ListTargetsByRule",
      "ListTopics",
      "ListUsers",
      "LookupEvents",
      "Search",
    ]
  # aws.cloudtrail_threat_detection_llm_jacking
  threat_detection_llm_jacking_threshold: 0.4 # Percentage of actions found to decide if it is an LLM Jacking attack event, by default is 0.4 (40%)
  threat_detection_llm_jacking_minutes: 1440 # Past minutes to search from now for LLM Jacking attacks, by default is 1440 minutes (24 hours)
  threat_detection_llm_jacking_actions:
    [
    "PutUseCaseForModelAccess",  # Submits a use case for model access, providing justification (Write).
    "PutFoundationModelEntitlement",  # Grants entitlement for accessing a foundation model (Write).
    "PutModelInvocationLoggingConfiguration", # Configures logging for model invocations (Write).
    "CreateFoundationModelAgreement",  # Creates a new agreement to use a foundation model (Write).
    "InvokeModel",  # Invokes a specified Bedrock model for inference using provided prompt and parameters (Read).
    "InvokeModelWithResponseStream",  # Invokes a Bedrock model for inference with real-time token streaming (Read).
    "GetUseCaseForModelAccess",  # Retrieves an existing use case for model access (Read).
    "GetModelInvocationLoggingConfiguration",  # Fetches the logging configuration for model invocations (Read).
    "GetFoundationModelAvailability",  # Checks the availability of a foundation model for use (Read).
    "ListFoundationModelAgreementOffers",  # Lists available agreement offers for accessing foundation models (List).
    "ListFoundationModels",  # Lists the available foundation models in Bedrock (List).
    "ListProvisionedModelThroughputs",  # Lists the provisioned throughput for previously created models (List).
    ]

  # AWS RDS Configuration
  # aws.rds_instance_backup_enabled
  # Whether to check RDS instance replicas or not
  check_rds_instance_replicas: False

  # AWS ACM Configuration
  # aws.acm_certificates_expiration_check
  days_to_expire_threshold: 7

  # AWS EKS Configuration
  # aws.eks_control_plane_logging_all_types_enabled
  # EKS control plane logging types that must be enabled
  eks_required_log_types:
    [
      "api",
      "audit",
      "authenticator",
      "controllerManager",
      "scheduler",
    ]

  # aws.eks_cluster_uses_a_supported_version
  # EKS clusters must be version 1.28 or higher
  eks_cluster_oldest_version_supported: "1.28"

  # AWS CodeBuild Configuration
  # aws.codebuild_project_no_secrets_in_variables
  # CodeBuild sensitive variables that are excluded from the check
  excluded_sensitive_environment_variables:
    [

    ]

# Azure Configuration
azure:
  # Azure Network Configuration
  # azure.network_public_ip_shodan
  # TODO: create common config
  shodan_api_key: null

  # Azure App Service
  # azure.app_ensure_php_version_is_latest
  php_latest_version: "8.2"
  # azure.app_ensure_python_version_is_latest
  python_latest_version: "3.12"
  # azure.app_ensure_java_version_is_latest
  java_latest_version: "17"

  # Azure SQL Server
  # azure.sqlserver_minimal_tls_version
  recommended_minimal_tls_versions:
    [
      "1.2",
      "1.3"
    ]

  # Azure Storage
  # azure.storage_smb_channel_encryption_with_secure_algorithm
  # List of SMB channel encryption algorithms allowed on file shares. A storage
  # account passes only if every enabled algorithm is in this list. Defaults to
  # the value required by CIS (AES-256-GCM only, excluding weaker AES-128 ciphers).
  recommended_smb_channel_encryption_algorithms:
    [
      "AES-256-GCM",
      # "AES-128-CCM",
      # "AES-128-GCM",
    ]

  # Azure Virtual Machines
  # azure.vm_desired_sku_size
  # List of desired VM SKU sizes that are allowed in the organization
  desired_vm_sku_sizes:
    [
      "Standard_A8_v2",
      "Standard_DS3_v2",
      "Standard_D4s_v3",
    ]
  # Azure VM Backup Configuration
  # azure.vm_sufficient_daily_backup_retention_period
  vm_backup_min_daily_retention_days: 7

  # Azure API Management Threat Detection Configuration
  # azure.apim_threat_detection_llm_jacking
  apim_threat_detection_llm_jacking_threshold: 0.1
  apim_threat_detection_llm_jacking_minutes: 1440
  apim_threat_detection_llm_jacking_actions:
    [
      # OpenAI API endpoints
      "ImageGenerations_Create",
      "ChatCompletions_Create",
      "Completions_Create",
      "Embeddings_Create",
      "FineTuning_Jobs_Create",
      "Models_List",

      # Azure OpenAI endpoints
      "Deployments_List",
      "Deployments_Get",
      "Deployments_Create",
      "Deployments_Delete",

      # Anthropic endpoints
      "Messages_Create",
      "Claude_Create",

      # Google AI endpoints
      "GenerateContent",
      "GenerateText",
      "GenerateImage",

      # Meta AI endpoints
      "Llama_Create",
      "CodeLlama_Create",

      # Other LLM endpoints
      "Gemini_Generate",
      "Claude_Generate",
      "Llama_Generate"
    ]

# GCP Configuration
gcp:
  # GCP Compute Configuration
  # gcp.compute_public_address_shodan
  shodan_api_key: null
  # gcp.compute_configuration_changes
  # Number of days to look back for Compute Engine configuration changes in audit logs
  compute_audit_log_lookback_days: 1
  # gcp.compute_instance_group_multiple_zones
  # Minimum number of zones a MIG should span for high availability
  mig_min_zones: 2

# Kubernetes Configuration
kubernetes:
  # Kubernetes API Server
  # kubernetes.apiserver_audit_log_maxbackup_set
  audit_log_maxbackup: 10
  # kubernetes.apiserver_audit_log_maxsize_set
  audit_log_maxsize: 100
  # kubernetes.apiserver_audit_log_maxage_set
  audit_log_maxage: 30
  # kubernetes.apiserver_strong_ciphers_only
  apiserver_strong_ciphers:
    [
      "TLS_AES_128_GCM_SHA256",
      "TLS_AES_256_GCM_SHA384",
      "TLS_CHACHA20_POLY1305_SHA256",
    ]
  # Kubelet
  # kubernetes.kubelet_strong_ciphers_only
  kubelet_strong_ciphers:
    [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_RSA_WITH_AES_128_GCM_SHA256",
    ]

# M365 Configuration
m365:
  # Entra Conditional Access Policy
  # m365.entra_admin_users_sign_in_frequency_enabled
  sign_in_frequency: 4 # 4 hours
  # Teams Settings
  # m365.teams_external_file_sharing_restricted
  allowed_cloud_storage_services:
    [
      #"allow_box",
      #"allow_drop_box",
      #"allow_egnyte",
      #"allow_google_drive",
      #"allow_share_file",
    ]
  # Exchange Organization Settings
  # m365.exchange_organization_mailtips_enabled
  recommended_mailtips_large_audience_threshold: 25 # maximum number of recipients

# GitHub Configuration
github:
  # github.repository_inactive_not_archived
  inactive_not_archived_days_threshold: 180

# Vercel Configuration
vercel:
  # vercel.deployment_production_uses_stable_target
  stable_branches:
    - "main"
    - "master"
  # vercel.authentication_token_not_expired & vercel.domain_ssl_certificate_valid
  days_to_expire_threshold: 7
  # vercel.authentication_no_stale_tokens
  stale_token_threshold_days: 90
  # vercel.team_no_stale_invitations
  stale_invitation_threshold_days: 30
  # vercel.team_member_role_least_privilege
  max_owner_percentage: 20
  max_owners: 3
  # vercel.project_environment_no_secrets_in_plain_type
  secret_suffixes:
    - "_KEY"
    - "_SECRET"
    - "_TOKEN"
    - "_PASSWORD"
    - "_API_KEY"
    - "_PRIVATE_KEY"