aquasecurity
diff --git a/‎Makefile
+6-2 b/‎Makefile
+6-2
diff --git a/‎avd_docs/aws/apigateway/AVD-AWS-0001/CloudFormation.md
+12-11 b/‎avd_docs/aws/apigateway/AVD-AWS-0001/CloudFormation.md
+12-11
diff --git a/‎avd_docs/aws/athena/AVD-AWS-0006/CloudFormation.md
+9-8 b/‎avd_docs/aws/athena/AVD-AWS-0006/CloudFormation.md
+9-8
diff --git a/‎avd_docs/aws/athena/AVD-AWS-0007/CloudFormation.md
+10-9 b/‎avd_docs/aws/athena/AVD-AWS-0007/CloudFormation.md
+10-9
diff --git a/‎avd_docs/aws/cloudfront/AVD-AWS-0010/CloudFormation.md
+14-13 b/‎avd_docs/aws/cloudfront/AVD-AWS-0010/CloudFormation.md
+14-13
diff --git a/‎avd_docs/aws/cloudfront/AVD-AWS-0011/CloudFormation.md
+15-14 b/‎avd_docs/aws/cloudfront/AVD-AWS-0011/CloudFormation.md
+15-14
diff --git a/‎avd_docs/aws/cloudfront/AVD-AWS-0012/CloudFormation.md
+15-14 b/‎avd_docs/aws/cloudfront/AVD-AWS-0012/CloudFormation.md
+15-14
diff --git a/‎avd_docs/aws/cloudfront/AVD-AWS-0013/CloudFormation.md
+16-15 b/‎avd_docs/aws/cloudfront/AVD-AWS-0013/CloudFormation.md
+16-15
diff --git a/‎avd_docs/aws/cloudtrail/AVD-AWS-0014/CloudFormation.md
+9-8 b/‎avd_docs/aws/cloudtrail/AVD-AWS-0014/CloudFormation.md
+9-8
diff --git a/‎avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md
+10-9 b/‎avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md
+10-9
diff --git a/‎avd_docs/aws/cloudtrail/AVD-AWS-0016/CloudFormation.md
+10-9 b/‎avd_docs/aws/cloudtrail/AVD-AWS-0016/CloudFormation.md
+10-9
diff --git a/‎avd_docs/aws/cloudtrail/AVD-AWS-0161/CloudFormation.md
+12-11 b/‎avd_docs/aws/cloudtrail/AVD-AWS-0161/CloudFormation.md
+12-11
diff --git a/‎avd_docs/aws/cloudtrail/AVD-AWS-0162/CloudFormation.md
+6-5 b/‎avd_docs/aws/cloudtrail/AVD-AWS-0162/CloudFormation.md
+6-5
@@ -13,7 +13,7 @@ fmt-rego:
 
 .PHONY: test-rego
 test-rego:
-	go run ./cmd/opa test --explain=fails lib/ checks/
+	go run ./cmd/opa test --explain=fails lib/ checks/ --ignore '*.yaml'
 
 .PHONY: bundle
 bundle: create-bundle verify-bundle
@@ -49,4 +49,8 @@ verify-bundle:
 	rm scripts/bundle.tar.gz
 
 build-opa:
-	go build ./cmd/opa
+	go build ./cmd/opa
+
+.PHONY: fmt-examples
+fmt-examples:
+	go run ./cmd/fmt-examples
@@ -2,19 +2,20 @@
 Enable logging for API Gateway stages
 
 ```yaml
-AWSTemplateFormatVersion: 2010-09-09T00:00:00Z
+AWSTemplateFormatVersion: "2010-09-09T00:00:00Z"
 Description: Good Example of ApiGateway
 Resources:
-    GoodApi:
-        Type: AWS::ApiGatewayV2::Api
-    GoodApiStage:
-        Properties:
-            AccessLogSettings:
-                DestinationArn: gateway-logging
-                Format: json
-            ApiId: GoodApi
-            StageName: GoodApiStage
-        Type: AWS::ApiGatewayV2::Stage
+  GoodApi:
+    Type: AWS::ApiGatewayV2::Api
+  GoodApiStage:
+    Properties:
+      AccessLogSettings:
+        DestinationArn: gateway-logging
+        Format: json
+      ApiId: GoodApi
+      StageName: GoodApiStage
+    Type: AWS::ApiGatewayV2::Stage
+
 ```
 
 
@@ -3,14 +3,15 @@ Enable encryption at rest for Athena databases and workgroup configurations
 
 ```yaml
 Resources:
-    GoodExample:
-        Properties:
-            Name: goodExample
-            WorkGroupConfiguration:
-                ResultConfiguration:
-                    EncryptionConfiguration:
-                        EncryptionOption: SSE_KMS
-        Type: AWS::Athena::WorkGroup
+  GoodExample:
+    Properties:
+      Name: goodExample
+      WorkGroupConfiguration:
+        ResultConfiguration:
+          EncryptionConfiguration:
+            EncryptionOption: SSE_KMS
+    Type: AWS::Athena::WorkGroup
+
 ```
 
 
@@ -3,15 +3,16 @@ Enforce the configuration to prevent client overrides
 
 ```yaml
 Resources:
-    GoodExample:
-        Properties:
-            Name: goodExample
-            WorkGroupConfiguration:
-                EnforceWorkGroupConfiguration: true
-                ResultConfiguration:
-                    EncryptionConfiguration:
-                        EncryptionOption: SSE_KMS
-        Type: AWS::Athena::WorkGroup
+  GoodExample:
+    Properties:
+      Name: goodExample
+      WorkGroupConfiguration:
+        EnforceWorkGroupConfiguration: true
+        ResultConfiguration:
+          EncryptionConfiguration:
+            EncryptionOption: SSE_KMS
+    Type: AWS::Athena::WorkGroup
+
 ```
 
 
@@ -3,19 +3,20 @@ Enable logging for CloudFront distributions
 
 ```yaml
 Resources:
-    GoodExample:
-        Properties:
-            DistributionConfig:
-                DefaultCacheBehavior:
-                    TargetOriginId: target
-                    ViewerProtocolPolicy: https-only
-                Enabled: true
-                Logging:
-                    Bucket: logging-bucket
-                Origins:
-                    - DomainName: https://some.domain
-                      Id: somedomain1
-        Type: AWS::CloudFront::Distribution
+  GoodExample:
+    Properties:
+      DistributionConfig:
+        DefaultCacheBehavior:
+          TargetOriginId: target
+          ViewerProtocolPolicy: https-only
+        Enabled: true
+        Logging:
+          Bucket: logging-bucket
+        Origins:
+          - DomainName: https://some.domain
+            Id: somedomain1
+    Type: AWS::CloudFront::Distribution
+
 ```
 
 
@@ -3,20 +3,21 @@ Enable WAF for the CloudFront distribution
 
 ```yaml
 Resources:
-    GoodExample:
-        Properties:
-            DistributionConfig:
-                DefaultCacheBehavior:
-                    TargetOriginId: target
-                    ViewerProtocolPolicy: https-only
-                Enabled: true
-                Logging:
-                    Bucket: logging-bucket
-                Origins:
-                    - DomainName: https://some.domain
-                      Id: somedomain1
-                WebACLId: waf_id
-        Type: AWS::CloudFront::Distribution
+  GoodExample:
+    Properties:
+      DistributionConfig:
+        DefaultCacheBehavior:
+          TargetOriginId: target
+          ViewerProtocolPolicy: https-only
+        Enabled: true
+        Logging:
+          Bucket: logging-bucket
+        Origins:
+          - DomainName: https://some.domain
+            Id: somedomain1
+        WebACLId: waf_id
+    Type: AWS::CloudFront::Distribution
+
 ```
 
 
@@ -3,20 +3,21 @@ Only allow HTTPS for CloudFront distribution communication
 
 ```yaml
 Resources:
-    GoodExample:
-        Properties:
-            DistributionConfig:
-                DefaultCacheBehavior:
-                    TargetOriginId: target
-                    ViewerProtocolPolicy: https-only
-                Enabled: true
-                Logging:
-                    Bucket: logging-bucket
-                Origins:
-                    - DomainName: https://some.domain
-                      Id: somedomain1
-                WebACLId: waf_id
-        Type: AWS::CloudFront::Distribution
+  GoodExample:
+    Properties:
+      DistributionConfig:
+        DefaultCacheBehavior:
+          TargetOriginId: target
+          ViewerProtocolPolicy: https-only
+        Enabled: true
+        Logging:
+          Bucket: logging-bucket
+        Origins:
+          - DomainName: https://some.domain
+            Id: somedomain1
+        WebACLId: waf_id
+    Type: AWS::CloudFront::Distribution
+
 ```
 
 
@@ -3,21 +3,22 @@ Use the most modern TLS/SSL policies available
 
 ```yaml
 Resources:
-    GoodExample:
-        Properties:
-            DistributionConfig:
-                DefaultCacheBehavior:
-                    TargetOriginId: target
-                    ViewerProtocolPolicy: https-only
-                Enabled: true
-                Logging:
-                    Bucket: logging-bucket
-                Origins:
-                    - DomainName: https://some.domain
-                      Id: somedomain1
-                ViewerCertificate:
-                    MinimumProtocolVersion: TLSv1.2_2021
-        Type: AWS::CloudFront::Distribution
+  GoodExample:
+    Properties:
+      DistributionConfig:
+        DefaultCacheBehavior:
+          TargetOriginId: target
+          ViewerProtocolPolicy: https-only
+        Enabled: true
+        Logging:
+          Bucket: logging-bucket
+        Origins:
+          - DomainName: https://some.domain
+            Id: somedomain1
+        ViewerCertificate:
+          MinimumProtocolVersion: TLSv1.2_2021
+    Type: AWS::CloudFront::Distribution
+
 ```
 
 
@@ -3,14 +3,15 @@ Enable Cloudtrail in all regions
 
 ```yaml
 Resources:
-    GoodExample:
-        Properties:
-            IsLogging: true
-            IsMultiRegionTrail: true
-            S3BucketName: CloudtrailBucket
-            S3KeyPrefix: /trailing
-            TrailName: Cloudtrail
-        Type: AWS::CloudTrail::Trail
+  GoodExample:
+    Properties:
+      IsLogging: true
+      IsMultiRegionTrail: true
+      S3BucketName: CloudtrailBucket
+      S3KeyPrefix: /trailing
+      TrailName: Cloudtrail
+    Type: AWS::CloudTrail::Trail
+
 ```
 
 
@@ -3,15 +3,16 @@ Use Customer managed key
 
 ```yaml
 Resources:
-    GoodExample:
-        Properties:
-            IsLogging: true
-            IsMultiRegionTrail: true
-            KmsKeyId: alias/CloudtrailKey
-            S3BucketName: CloudtrailBucket
-            S3KeyPrefix: /trailing
-            TrailName: Cloudtrail
-        Type: AWS::CloudTrail::Trail
+  GoodExample:
+    Properties:
+      IsLogging: true
+      IsMultiRegionTrail: true
+      KmsKeyId: alias/CloudtrailKey
+      S3BucketName: CloudtrailBucket
+      S3KeyPrefix: /trailing
+      TrailName: Cloudtrail
+    Type: AWS::CloudTrail::Trail
+
 ```
 
 #### Remediation Links
 
@@ -3,15 +3,16 @@ Turn on log validation for Cloudtrail
 
 ```yaml
 Resources:
-    GoodExample:
-        Properties:
-            EnableLogFileValidation: true
-            IsLogging: true
-            IsMultiRegionTrail: true
-            S3BucketName: CloudtrailBucket
-            S3KeyPrefix: /trailing
-            TrailName: Cloudtrail
-        Type: AWS::CloudTrail::Trail
+  GoodExample:
+    Properties:
+      EnableLogFileValidation: true
+      IsLogging: true
+      IsMultiRegionTrail: true
+      S3BucketName: CloudtrailBucket
+      S3KeyPrefix: /trailing
+      TrailName: Cloudtrail
+    Type: AWS::CloudTrail::Trail
+
 ```
 
 
@@ -3,17 +3,18 @@ Restrict public access to the S3 bucket
 
 ```yaml
 Resources:
-    GoodExampleBucket:
-        Properties:
-            AccessControl: Private
-            BucketName: my-bucket
-        Type: AWS::S3::Bucket
-    GoodExampleTrail:
-        Properties:
-            IsLogging: true
-            S3BucketName: my-bucket
-            TrailName: Cloudtrail
-        Type: AWS::CloudTrail::Trail
+  GoodExampleBucket:
+    Properties:
+      AccessControl: Private
+      BucketName: my-bucket
+    Type: AWS::S3::Bucket
+  GoodExampleTrail:
+    Properties:
+      IsLogging: true
+      S3BucketName: my-bucket
+      TrailName: Cloudtrail
+    Type: AWS::CloudTrail::Trail
+
 ```
 
 
@@ -3,11 +3,12 @@ Enable logging to CloudWatch
 
 ```yaml
 Resources:
-    GoodExampleTrail:
-        Properties:
-            CloudWatchLogsLogGroupArn: arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*
-            TrailName: Cloudtrail
-        Type: AWS::CloudTrail::Trail
+  GoodExampleTrail:
+    Properties:
+      CloudWatchLogsLogGroupArn: arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*
+      TrailName: Cloudtrail
+    Type: AWS::CloudTrail::Trail
+
 ```