fix(aws): order-independent CloudWatch metric filter pattern checks

[sahil-sols]

Context

Several AWS CIS-style CloudWatch log metric filter checks validate combined filterPattern strings that use CloudWatch’s { (clause A) || (clause B) || ... } syntax. Each clause is a separate condition; AWS does not guarantee clause order in the stored pattern.

Those checks previously used sequence-dependent regex (clause1.+clause2.+...), so a correctly configured metric filter could be reported as FAIL when clauses appeared in a different order than the regex expected. This PR aligns validation with how AWS actually stores multi-clause patterns.

This is not tied to an open GitHub issue; it improves check accuracy for real-world CloudTrail/CloudWatch configurations.

Description

Summary: Replaces sequential regex chaining with per-clause positive lookaheads ((?=.*...)) in 13 AWS CloudWatch log metric filter checks so every required event/source clause must be present in filterPattern, regardless of order.

Affected checks:

• cloudwatch_changes_to_network_acls_alarm_configured
• cloudwatch_changes_to_network_gateways_alarm_configured
• cloudwatch_changes_to_network_route_tables_alarm_configured
• cloudwatch_changes_to_vpcs_alarm_configured
• cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled
• cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled
• cloudwatch_log_metric_filter_authentication_failures
• cloudwatch_log_metric_filter_aws_organizations_changes
• cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk
• cloudwatch_log_metric_filter_for_s3_bucket_policy_changes
• cloudwatch_log_metric_filter_policy_changes
• cloudwatch_log_metric_filter_security_group_changes
• cloudwatch_log_metric_filter_sign_in_without_mfa

Matching still goes through check_cloudwatch_log_metric_filter() in prowler/providers/aws/services/cloudwatch/lib/metric_filters.py via re.search(..., flags=re.DOTALL).

Changelog: Entry added under ### 🐞 Fixed in prowler/CHANGELOG.md.

Dependencies: None.

Scope: SDK only — no new checks, no API/UI changes, no permission changes.

Steps to review

1. Pattern logic — In each updated check, confirm pattern uses independent (?=.*<clause>) lookaheads instead of clause1.+clause2.+.... Each lookahead should match a single CIS/AWS requirement (event name or event source), not depend on position relative to other clauses.

2. Helper unchanged — Skim metric_filters.py to confirm behavior is still “all lookaheads must match anywhere in the pattern string”; no change to alarm association logic.

3. Sanity-check regex — Optionally run a quick Python check with sample filterPattern strings where clauses are reversed, e.g.:

   import re
   pattern = (
       r"(?=.*\$\.eventName\s*=\s*.?CreateVpc)"
       r"(?=.*\$\.eventName\s*=\s*.?DeleteVpc)"
       # ... remaining lookaheads from the check under review
   )
   forward = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) }"
   reverse = "{ ($.eventName = DeleteVpc) || ($.eventName = CreateVpc) }"
   assert re.search(pattern, forward, re.DOTALL)
   assert re.search(pattern, reverse, re.DOTALL)

4. Tests — Run existing CloudWatch metric filter tests:

   uv run pytest tests/providers/aws/services/cloudwatch/ -v

   Or target only the 13 checks listed above.

5. CHANGELOG — Verify the 5.28.0 / Unreleased entry describes order-independent validation clearly.

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com (N/A — improvement not tracked as an open issue)
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack (N/A)

• Review if the code is being covered by tests. (Existing moto-based tests under tests/providers/aws/services/cloudwatch/; no new test files in this PR.)
• Review if code is being documented following Google Python styleguide §3.8. (No new public APIs; check docstrings unchanged.)
• Review if backport is needed. (No — behavior fix in unreleased SDK line.)
• Review if is needed to change the Readme.md. (No.)
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? No
  • If so, do we need to update permissions for the provider? N/A

UI

• All issue/task requirements work as expected on the UI (N/A — SDK only)
• npm dependencies (N/A)
• Screenshots — Mobile / Tablet / Desktop (N/A)
• Ensure new entries are added to ui/CHANGELOG.md, if applicable. (N/A)

API

• All issue/task requirements work as expected on the API (N/A)
• Endpoint response output (N/A)
• EXPLAIN ANALYZE (N/A)
• Performance test results (N/A)
• Any other relevant evidence (N/A)
• Verify if API specs need to be regenerated. (No)
• Check if version updates are required. (No)
• Ensure new entries are added to api/CHANGELOG.md, if applicable. (N/A)

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.