feat(compliance): add APRA CPS 234 (Information Security) framework for AWS

[jaybilgaye]

Context

APRA Prudential Standard CPS 234 — Information Security is mandatory for all
APRA-regulated entities in Australia (banks/ADIs, general & life insurers, private
health insurers, and superannuation/RSE licensees). Prowler currently ships no APRA
framework, so Australian regulated entities running on AWS have no out-of-the-box way
to benchmark their accounts against CPS 234.

Fix #11485

Description

Adds an APRA CPS 234 (Information Security) compliance framework for the AWS provider.

• prowler/compliance/aws/apra_cps_234_aws.json — 20 requirements (12 automated /
  8 manual) mapped to 55 existing AWS checks. No new checks are introduced.
• The 8 manual controls cover governance/process paragraphs not observable via AWS
  APIs (roles & responsibilities, capability, policy framework, asset classification,
  third-party control design, response plans, internal audit, APRA notification),
  marked Manual — consistent with how other frameworks handle non-automatable items.
• Follows the JSON-only universal-compliance pattern of the recent DORA (feat(compliance): add DORA framework for AWS #11131) and
  AWS AI Security Framework (feat(compliance): add AWS AI Security Framework for AWS #11353) additions: it loads via the universal compliance
  loader with no changes to compliance_models.py and no new output classes.
• No new dependencies.

Steps to review

1. Confirm the framework is discovered:
   prowler aws --list-compliance | grep apra_cps_234_aws
2. Run it against an account:
   prowler aws --compliance apra_cps_234_aws — produces a control-level rollup.
3. Validation evidence (verified against Prowler 5.31.0):
   • Loads via the universal compliance loader with zero errors.
   • All 55 referenced checks exist in the AWS check catalogue (0 dangling).
   • Paragraph references verified against the official APRA CPS 234 standard
     (July 2019, current/in-force).

Checklist

• This feature/issue is listed in the issues list ([Compliance] Add APRA CPS 234 (Information Security) framework for AWS #11485).
• Is it assigned to me — requested via issue [Compliance] Add APRA CPS 234 (Information Security) framework for AWS #11485.
• Review if the code is being covered by tests — N/A: JSON-only framework
  (no Python code); validated by the universal compliance loader, same as the
  DORA (feat(compliance): add DORA framework for AWS #11131) and AWS AI Security Framework (feat(compliance): add AWS AI Security Framework for AWS #11353) additions which add no test.
• Documentation/docstrings — N/A (no Python code changed).
• Backport — not needed.
• README.md change — not needed.
• CHANGELOG.md entry added (prowler/CHANGELOG.md).

SDK/CLI

• Are there new checks included in this PR? No — the framework maps to existing
  checks only, so no provider permission changes are required.

License

By submitting this pull request, I confirm that my contribution is made under the
terms of the Apache 2.0 license.

Summary by CodeRabbit

• New Features
  • Added APRA CPS 234 (Information Security) compliance framework for AWS provider

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 32c596ce-10f3-4714-8755-ff231ff882dc

📥 Commits

Reviewing files that changed from the base of the PR and between dc228e8 and abd782a.

⛔ Files ignored due to path filters (1)

• prowler/compliance/aws/apra_cps_234_aws.json is excluded by !prowler/compliance/**/*.json

📒 Files selected for processing (1)

• prowler/CHANGELOG.md

---

📝 Walkthrough

Walkthrough

A single changelog entry is added to the [5.31.0] "🚀 Added" section of prowler/CHANGELOG.md, documenting the new APRA CPS 234 (Information Security) compliance framework for the AWS provider with a reference to PR #11679.

Changes

Changelog Update

Layer / File(s)	Summary
APRA CPS 234 changelog bullet prowler/CHANGELOG.md	Adds one bullet to the 5.31.0 "🚀 Added" section documenting the APRA CPS 234 (Information Security) compliance framework for the AWS provider.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minutes

Possibly related PRs

• prowler-cloud/prowler#11671: Modifies the same 5.31.0 release block in prowler/CHANGELOG.md, directly adjacent to this entry.

Suggested reviewers

• danibarranqueroo
• jfagoagas

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title clearly and specifically identifies the main change: adding APRA CPS 234 framework for AWS, matching the PR's primary objective.
Description check	✅ Passed	Description is comprehensive, covering context (mandatory standard for AU entities), implementation details (20 requirements, 55 existing checks), validation evidence, and checklist completion.
Linked Issues check	✅ Passed	PR fully satisfies #11485 requirements: delivers APRA CPS 234 framework with 20 requirements (12 automated/8 manual) mapped to 55 existing checks, follows JSON-only universal compliance pattern, zero dangling references, verified against official standard.
Out of Scope Changes check	✅ Passed	Only in-scope changes present: CHANGELOG.md entry documenting framework addition (referenced in ignored files: compliance JSON file itself). No unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[ArjunPakhan]

Awesome implementation, @jaybilgaye!

Pivoting to the pure JSON universal compliance loader pattern is an incredibly clean approach—keeps the maintenance overhead low while perfectly reusing those 55 core AWS checks. It's great to see proper APRA CPS 234 mapping land in Prowler for the AU financial sector.

Great work on this! 🚀

[jaybilgaye]

Thanks @ArjunPakhan , appreciate the review.