Feature search
Which component would this feature affect?
Prowler CLI/SDK
Related to specific cloud provider?
AWS
New feature motivation
APRA's Prudential Standard CPS 234 — Information Security is mandatory for all APRA-regulated entities in Australia (banks/ADIs, general & life insurers, private health insurers, and superannuation/RSE
licensees). It is the single most cited information-security obligation for the Australian financial sector.
Prowler already ships asd_essential_eight_aws, but there is currently no APRA framework. Australian regulated entities running on AWS have no out-of-the-box way to benchmark their accounts against CPS
234 with Prowler, despite it being a legal requirement for them.
Solution Proposed
Add an APRA CPS 234 (Information Security) compliance framework for the AWS provider:
- New framework spec: prowler/compliance/aws/apra_cps_234_aws.json — 20 requirements mapped to the operative paragraphs of CPS 234 (paras 13–36, July 2019).
- 12 automated controls mapped to 55 existing AWS checks (IAM/MFA/password policy, encryption at rest & in transit, key management, public-exposure blocking, audit logging, threat detection, backups,
incident-detection alarms, vulnerability testing) — no new checks required.
- 8 manual controls for governance/process paragraphs not observable via AWS APIs (roles & responsibilities, capability, policy framework, asset classification, third-party control design, response
plans, internal audit, APRA notification) — marked Manual, consistent with how Essential Eight handles non-automatable items.
- New attribute model APRA_CPS234_Requirement_Attribute in prowler/lib/check/compliance_models.py, mirroring the existing ASDEssentialEight_* model (Section, ItemId, AssessmentStatus,
CloudApplicability, Description, RationaleStatement, ImpactStatement, RemediationProcedure, AuditProcedure, AdditionalInformation, References).
- Tests under tests/compliance/aws/.
Use case and benefits
- Who: APRA-regulated entities and the consultants/auditors who serve them — a large, compliance-driven AWS user base.
- Benefit: run prowler aws --compliance apra_cps_234_aws to get an instant CPS 234 posture report, with each finding mapped to the specific CPS 234 paragraph, rationale, remediation and reference —
turning raw findings into board/regulator-ready evidence.
- For Prowler: extends the Australian framework coverage already started with Essential Eight, and reuses existing checks (low maintenance burden, no new check logic).
Describe alternatives you've considered
- Generic attribute schema instead of a dedicated Pydantic model — works, but drops the rich rationale/remediation/reference fields from output; a dedicated model (as with Essential Eight/CIS) preserves
them. Happy to go either way per maintainer preference.
- Other tools (Steampipe/Powerpipe mods, AWS Config conformance packs, hand-rolled audits) — these exist piecemeal but none give Prowler users native CPS 234 coverage, and most require separate tooling.
- Doing nothing / manual mapping — every AU entity re-deriving the CPS 234 → AWS mapping by hand is duplicated effort and error-prone.
Additional context
- Reference standard: APRA CPS 234 Information Security (July 2019, current/in-force) — https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf
- I have the framework already drafted and locally validated: parses against Compliance, conforms to the new attribute model, 0 dangling check references (all 55 verified against Prowler 5.29.2),
paragraph references verified against the official standard, 6 tests passing, and it runs end-to-end against a real AWS account.
- Note: this is distinct from CPS 230 (Operational Risk Management, 2025) — a separate standard I'd be glad to follow up with if this is welcome.
- Ready to open the PR as soon as I have a green light. Thank You.
Feature search
Which component would this feature affect?
Prowler CLI/SDK
Related to specific cloud provider?
AWS
New feature motivation
APRA's Prudential Standard CPS 234 — Information Security is mandatory for all APRA-regulated entities in Australia (banks/ADIs, general & life insurers, private health insurers, and superannuation/RSE
licensees). It is the single most cited information-security obligation for the Australian financial sector.
Prowler already ships asd_essential_eight_aws, but there is currently no APRA framework. Australian regulated entities running on AWS have no out-of-the-box way to benchmark their accounts against CPS
234 with Prowler, despite it being a legal requirement for them.
Solution Proposed
Add an APRA CPS 234 (Information Security) compliance framework for the AWS provider:
incident-detection alarms, vulnerability testing) — no new checks required.
plans, internal audit, APRA notification) — marked Manual, consistent with how Essential Eight handles non-automatable items.
CloudApplicability, Description, RationaleStatement, ImpactStatement, RemediationProcedure, AuditProcedure, AdditionalInformation, References).
Use case and benefits
turning raw findings into board/regulator-ready evidence.
Describe alternatives you've considered
them. Happy to go either way per maintainer preference.
Additional context
paragraph references verified against the official standard, 6 tests passing, and it runs end-to-end against a real AWS account.