feat(aws): add Resource Control Policies (RCP) support

[ethanolivertroy]

Context

AWS recently introduced Resource Control Policies (RCPs) as a new type of policy in AWS Organizations. Unlike Service Control Policies (SCPs) which act at the account level, RCPs provide more granular control at the resource level, allowing organizations to implement
stronger security controls across their AWS environment.

This change adds support for detecting and validating effective use of RCPs in AWS Organizations, with a focus on security controls aligned with NIST standards.

Description

This PR adds support for AWS Resource Control Policies with six new checks:

1. organizations_resource_control_policies_enabled: Base check to verify if RCPs are enabled and attached to targets in an organization
2. organizations_resource_control_policies_s3_security: Specific check for S3 security settings enforced through RCPs
3. organizations_rcps_enforce_encryption: Validates encryption requirements in RCPs (aligned with NIST 800-53 SC-13 and SC-28)
4. organizations_rcps_enforce_iam_controls: Checks for IAM security controls (aligned with NIST 800-53 AC-2, AC-3, AC-6, and IA-2)
5. organizations_rcps_enforce_logging_monitoring: Verifies logging and monitoring controls (aligned with NIST 800-53 AU-2, AU-3, AU-8, and AU-9)
6. organizations_rcps_enforce_network_security: Validates network security requirements (aligned with NIST 800-53 SC-7, SC-8, and SC-13)

The implementation includes:

• Adding RESOURCE_CONTROL_POLICY to the list of available organization policy types
• Creating comprehensive checks that analyze policy statements for specific security patterns
• Including detailed metadata with risk information, remediation steps, and NIST alignment
• Providing example policy content to help users implement effective RCPs

Checklist

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? No, existing Organizations permissions should be sufficient
• Review if the code is being covered by tests. (No new tests added - these checks use the existing Organizations client)
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the https://github.com/prowler-cloud/prowler/blob/master/README.md

API

• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, Poetry, etc.).
• Ensure new entries are added to https://github.com/prowler-cloud/prowler/blob/master/api/CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[MrCloudSec]

Hi @ethanolivertroy , thanks for re-creating the PR! I have made a first revision, could you please add testing to the new checks? You can see how to do them in our Developer Guide.

[MrCloudSec]

This check has a false positive if you only have the RCPFullAWSAccess.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.60%. Comparing base (6f027e3) to head (084c2bc).
Report is 110 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #7415      +/-   ##
==========================================
- Coverage   92.28%   88.60%   -3.68%     
==========================================
  Files          81     1228    +1147     
  Lines        7333    35900   +28567     
==========================================
+ Hits         6767    31809   +25042     
- Misses        566     4091    +3525     

Flag	Coverage Δ
api	?
prowler	88.60% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	88.60% <ø> (∅)
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[MrCloudSec]

I think this check is redundant since having RCPs enabled does not mean that the organization is protected. For example, when you enabled RCPs, you have by default an allow all policy that does not enforce anything.

[ethanolivertroy]

@MrCloudSec going to look these over and address this weekend. TY!