prowler-cloud · pedrooot · Jun 26, 2026 · Jun 23, 2026 · Jun 23, 2026 · Jun 23, 2026
@@ -46,6 +46,10 @@ When adding a new configurable check to Prowler, update the following files:
 
 For a complete list of checks that already support configuration, see the [Configuration File Tutorial](/user-guide/cli/tutorials/configuration_file).
 
+<Note>
+Because a configurable check's verdict depends on the `audit_config` value it reads, a compliance requirement can lose meaning if the scan ran with a looser threshold than the control demands. Compliance frameworks can guard against this with **configuration guardrails**: a requirement declares the strictest configuration it tolerates and is forced to FAIL when the scan's config falls short. See [Configuration Guardrails for Requirements](/developer-guide/security-compliance-framework#configuration-guardrails-for-requirements).
+</Note>
+
 ## Adding a Parameter to the Provider Schema
 
 Most providers have a typed Pydantic schema in `prowler/config/schema/`, registered in `prowler/config/schema/registry.py`. When a config is loaded and the provider has a registered schema, `validate_provider_config` checks each user-supplied key against it, logs a warning, and drops any field that fails validation. The consumer's `.get(key, default)` then falls back to the built-in default. Providers without a registered schema are passed through unchanged.

@@ -6,6 +6,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ### 🚀 Added
 
+- Per-requirement configuration validation for compliance frameworks via `ConfigRequirements`, so a requirement is reported as FAIL when its configurable checks ran with a configuration too loose to satisfy it (applied across all compliance outputs: CSV, OCSF, and console tables) [(#11669)](https://github.com/prowler-cloud/prowler/pull/11669)
 - `entra_conditional_access_policy_explicitly_targets_azure_devops` check for M365 provider, verifying at least one enabled Conditional Access policy explicitly includes the Azure DevOps cloud application instead of relying on a broad "All cloud apps" policy [(#11182)](https://github.com/prowler-cloud/prowler/pull/11182)
 - `entra_conditional_access_policy_no_exclusion_gaps` check for M365 provider, verifying every user, group, role, or application excluded from an enabled Conditional Access policy stays in scope of another enabled policy [(#11577)](https://github.com/prowler-cloud/prowler/pull/11577)
 

@@ -109,6 +109,14 @@
       ],
       "Checks": [
         "ram_user_console_access_unused"
+      ],
+      "ConfigRequirements": [
+        {
+          "Check": "ram_user_console_access_unused",
+          "ConfigKey": "max_console_access_days",
+          "Operator": "lte",
+          "Value": 90
+        }
       ]
     },
     {
@@ -841,6 +849,14 @@
       ],
       "Checks": [
         "sls_logstore_retention_period"
+      ],
+      "ConfigRequirements": [
+        {
+          "Check": "sls_logstore_retention_period",
+          "ConfigKey": "min_log_retention_days",
+          "Operator": "gte",
+          "Value": 365
+        }
       ]
     },
     {
@@ -1353,6 +1369,14 @@
       ],
       "Checks": [
         "rds_instance_sql_audit_retention"
+      ],
+      "ConfigRequirements": [
+        {
+          "Check": "rds_instance_sql_audit_retention",
+          "ConfigKey": "min_rds_audit_retention_days",
+          "Operator": "gte",
+          "Value": 180
+        }
       ]
     },
     {
@@ -1551,6 +1575,14 @@
       ],
       "Checks": [
         "cs_kubernetes_cluster_check_recent"
+      ],
+      "ConfigRequirements": [
+        {
+          "Check": "cs_kubernetes_cluster_check_recent",
+          "ConfigKey": "max_cluster_check_days",
+          "Operator": "lte",
+          "Value": 7
+        }
       ]
     },
     {

@@ -47,6 +47,14 @@
       "Checks": [
         "ram_user_console_access_unused"
       ],
+      "ConfigRequirements": [
+        {
+          "Check": "ram_user_console_access_unused",
+          "ConfigKey": "max_console_access_days",
+          "Operator": "lte",
+          "Value": 90
+        }
+      ],
       "Attributes": [
         {
           "Title": "Inactive users disabled for console access",
@@ -399,6 +407,14 @@
           "LevelOfRisk": 3,
           "Weight": 10
         }
+      ],
+      "ConfigRequirements": [
+        {
+          "Check": "cs_kubernetes_cluster_check_weekly",
+          "ConfigKey": "max_cluster_check_days",
+          "Operator": "lte",
+          "Value": 7
+        }
       ]
     },
     {
@@ -695,6 +711,14 @@
       "Checks": [
         "rds_instance_sql_audit_retention"
       ],
+      "ConfigRequirements": [
+        {
+          "Check": "rds_instance_sql_audit_retention",
+          "ConfigKey": "min_rds_audit_retention_days",
+          "Operator": "gte",
+          "Value": 180
+        }
+      ],
       "Attributes": [
         {
           "Title": "RDS SQL audit retention configured",

@@ -13,6 +13,14 @@
         "config_recorder_all_regions_enabled",
         "inspector2_is_enabled"
       ],
+      "ConfigRequirements": [
+        {
+          "Check": "config_recorder_all_regions_enabled",
+          "ConfigKey": "mute_non_default_regions",
+          "Operator": "eq",
+          "Value": false
+        }
+      ],
       "Attributes": [
         {
           "Section": "1 Patch applications",
@@ -260,6 +268,14 @@
         "config_recorder_all_regions_enabled",
         "inspector2_is_enabled"
       ],
+      "ConfigRequirements": [
+        {
+          "Check": "config_recorder_all_regions_enabled",
+          "ConfigKey": "mute_non_default_regions",
+          "Operator": "eq",
+          "Value": false
+        }
+      ],
       "Attributes": [
         {
           "Section": "2 Patch operating systems",
@@ -742,6 +758,14 @@
         "accessanalyzer_enabled",
         "accessanalyzer_enabled_without_findings"
       ],
+      "ConfigRequirements": [
+        {
+          "Check": "accessanalyzer_enabled",
+          "ConfigKey": "mute_non_default_regions",
+          "Operator": "eq",
+          "Value": false
+        }
+      ],
       "Attributes": [
         {
           "Section": "4 Restrict administrative privileges",