ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(arn): add missing ARNs to AWS Services (#2476)

Browse Source
This commit is contained in:
Sergio Garcia
2023-06-12 13:33:12 +02:00
committed by GitHub
parent 49b2a559ae
commit 01cd4bcb47
62 changed files with 249 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -39,7 +39,7 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe
| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.cloud/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.cloud/en/latest/tutorials/misc/#categories) |
|---|---|---|---|---|
| AWS | 282 | 55 -> `prowler aws --list-services` | 21 -> `prowler aws --list-compliance` | 5 -> `prowler aws --list-categories` |
| AWS | 283 | 55 -> `prowler aws --list-services` | 21 -> `prowler aws --list-compliance` | 5 -> `prowler aws --list-categories` |
| GCP | 59 | 10 -> `prowler gcp --list-services` | CIS soon | 0 -> `prowler gcp --list-categories`|
| Azure | 20 | 3 -> `prowler azure --list-services` | CIS soon | 1 -> `prowler azure --list-categories` |
| Kubernetes | Planned | - | - | - |

4
prowler/providers/aws/services/apigateway/apigateway_service.py
View File

@@ -41,7 +41,7 @@ class APIGateway:
get_rest_apis_paginator = regional_client.get_paginator("get_rest_apis")
for page in get_rest_apis_paginator.paginate():
for apigw in page["items"]:
arn = f"arn:{self.audited_partition}:apigateway:{regional_client.region}::/apis/{apigw['id']}"
arn = f"arn:{self.audited_partition}:apigateway:{regional_client.region}::/restapis/{apigw['id']}"
if not self.audit_resources or (
is_resource_filtered(arn, self.audit_resources)
):
@@ -100,7 +100,7 @@ class APIGateway:
logging = True
if "clientCertificateId" in stage:
client_certificate = True
arn = f"arn:{self.audited_partition}:apigateway:{regional_client.region}::/apis/{rest_api.id}/stages/{stage['stageName']}"
arn = f"arn:{self.audited_partition}:apigateway:{regional_client.region}::/restapis/{rest_api.id}/stages/{stage['stageName']}"
rest_api.stages.append(
Stage(
name=stage["stageName"],

14
prowler/providers/aws/services/apigatewayv2/apigatewayv2_authorizers_enabled/apigatewayv2_authorizers_enabled.py
View File

@@ -10,18 +10,18 @@ class apigatewayv2_authorizers_enabled(Check):
for api in apigatewayv2_client.apis:
report = Check_Report_AWS(self.metadata())
report.region = api.region
report.resource_id = api.name
report.resource_arn = api.arn
report.resource_tags = api.tags
report.status = "FAIL"
report.status_extended = (
f"API Gateway V2 {api.name} ID {api.id} has not authorizer configured."
)
if api.authorizer:
report.status = "PASS"
report.status_extended = (
f"API Gateway V2 {api.name} ID {api.id} has authorizer configured."
)
report.resource_id = api.name
report.resource_tags = api.tags
else:
report.status = "FAIL"
report.status_extended = f"API Gateway V2 {api.name} ID {api.id} has not authorizer configured."
report.resource_id = api.name
report.resource_tags = api.tags
findings.append(report)
return findings

6
prowler/providers/aws/services/apigatewayv2/apigatewayv2_service.py
View File

@@ -14,6 +14,7 @@ class ApiGatewayV2:
self.service = "apigatewayv2"
self.session = audit_info.audit_session
self.audited_account = audit_info.audited_account
self.audited_partition = audit_info.audited_partition
self.audit_resources = audit_info.audit_resources
self.regional_clients = generate_regional_clients(self.service, audit_info)
self.apis = []
@@ -39,11 +40,13 @@ class ApiGatewayV2:
get_apis_paginator = regional_client.get_paginator("get_apis")
for page in get_apis_paginator.paginate():
for apigw in page["Items"]:
arn = f"arn:{self.audited_partition}:apigateway:{regional_client.region}::apis/{apigw['ApiId']}"
if not self.audit_resources or (
is_resource_filtered(apigw["ApiId"], self.audit_resources)
is_resource_filtered(arn, self.audit_resources)
):
self.apis.append(
API(
arn=arn,
id=apigw["ApiId"],
region=regional_client.region,
name=apigw["Name"],
@@ -98,6 +101,7 @@ class Stage(BaseModel):
class API(BaseModel):
arn: str
id: str
region: str
name: str

1
prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py
View File

@@ -31,6 +31,7 @@ class cloudwatch_changes_to_network_acls_alarm_configured(Check):
if metric_filter.log_group in log_groups:
if re.search(pattern, metric_filter.pattern):
report.resource_id = metric_filter.log_group
report.resource_arn = metric_filter.arn
report.region = metric_filter.region
report.status = "FAIL"
report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated."

1
prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py
View File

@@ -31,6 +31,7 @@ class cloudwatch_changes_to_network_gateways_alarm_configured(Check):
if metric_filter.log_group in log_groups:
if re.search(pattern, metric_filter.pattern):
report.resource_id = metric_filter.log_group
report.resource_arn = metric_filter.arn
report.region = metric_filter.region
report.status = "FAIL"
report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated."

1
prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py
View File

@@ -31,6 +31,7 @@ class cloudwatch_changes_to_network_route_tables_alarm_configured(Check):
if metric_filter.log_group in log_groups:
if re.search(pattern, metric_filter.pattern):
report.resource_id = metric_filter.log_group
report.resource_arn = metric_filter.arn
report.region = metric_filter.region
report.status = "FAIL"
report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated."

1
prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py
View File

@@ -31,6 +31,7 @@ class cloudwatch_changes_to_vpcs_alarm_configured(Check):
if metric_filter.log_group in log_groups:
if re.search(pattern, metric_filter.pattern):
report.resource_id = metric_filter.log_group
report.resource_arn = metric_filter.arn
report.region = metric_filter.region
report.status = "FAIL"
report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated."

1
prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py
View File

@@ -33,6 +33,7 @@ class cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_change
if metric_filter.log_group in log_groups:
if re.search(pattern, metric_filter.pattern):
report.resource_id = metric_filter.log_group
report.resource_arn = metric_filter.arn
report.region = metric_filter.region
report.status = "FAIL"
report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated."

1
prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py
View File

@@ -33,6 +33,7 @@ class cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_change
if metric_filter.log_group in log_groups:
if re.search(pattern, metric_filter.pattern):
report.resource_id = metric_filter.log_group
report.resource_arn = metric_filter.arn
report.region = metric_filter.region
report.status = "FAIL"
report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated."

1
prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py
View File

@@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_authentication_failures(Check):
if metric_filter.log_group in log_groups:
if re.search(pattern, metric_filter.pattern):
report.resource_id = metric_filter.log_group
report.resource_arn = metric_filter.arn
report.region = metric_filter.region
report.status = "FAIL"
report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated."

1
prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py
View File

@@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_aws_organizations_changes(Check):
if metric_filter.log_group in log_groups:
if re.search(pattern, metric_filter.pattern):
report.resource_id = metric_filter.log_group
report.resource_arn = metric_filter.arn
report.region = metric_filter.region
report.status = "FAIL"
report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated."

1
prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py
View File

@@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk(Chec
if metric_filter.log_group in log_groups:
if re.search(pattern, metric_filter.pattern):
report.resource_id = metric_filter.log_group
report.resource_arn = metric_filter.arn
report.region = metric_filter.region
report.status = "FAIL"
report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated."

1
prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py
View File

@@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_for_s3_bucket_policy_changes(Check):
if metric_filter.log_group in log_groups:
if re.search(pattern, metric_filter.pattern):
report.resource_id = metric_filter.log_group
report.resource_arn = metric_filter.arn
report.region = metric_filter.region
report.status = "FAIL"
report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated."

1
prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py
View File

@@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_policy_changes(Check):
if metric_filter.log_group in log_groups:
if re.search(pattern, metric_filter.pattern):
report.resource_id = metric_filter.log_group
report.resource_arn = metric_filter.arn
report.region = metric_filter.region
report.status = "FAIL"
report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated."

1
prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py
View File

@@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_root_usage(Check):
if metric_filter.log_group in log_groups:
if re.search(pattern, metric_filter.pattern):
report.resource_id = metric_filter.log_group
report.resource_arn = metric_filter.arn
report.region = metric_filter.region
report.status = "FAIL"
report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated."

1
prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py
View File

@@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_security_group_changes(Check):
if metric_filter.log_group in log_groups:
if re.search(pattern, metric_filter.pattern):
report.resource_id = metric_filter.log_group
report.resource_arn = metric_filter.arn
report.region = metric_filter.region
report.status = "FAIL"
report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated."

1
prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py
View File

@@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_sign_in_without_mfa(Check):
if metric_filter.log_group in log_groups:
if re.search(pattern, metric_filter.pattern):
report.resource_id = metric_filter.log_group
report.resource_arn = metric_filter.arn
report.region = metric_filter.region
report.status = "FAIL"
report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated."

1
prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py
View File

@@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_unauthorized_api_calls(Check):
if metric_filter.log_group in log_groups:
if re.search(pattern, metric_filter.pattern):
report.resource_id = metric_filter.log_group
report.resource_arn = metric_filter.arn
report.region = metric_filter.region
report.status = "FAIL"
report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated."

7
prowler/providers/aws/services/cloudwatch/cloudwatch_service.py
View File

@@ -17,6 +17,7 @@ class CloudWatch:
self.session = audit_info.audit_session
self.audited_account = audit_info.audited_account
self.audit_resources = audit_info.audit_resources
self.audited_partition = audit_info.audited_partition
self.region = list(
generate_regional_clients(
self.service, audit_info, global_service=True
@@ -89,6 +90,7 @@ class Logs:
self.service = "logs"
self.session = audit_info.audit_session
self.audited_account = audit_info.audited_account
self.audited_partition = audit_info.audited_partition
self.audit_resources = audit_info.audit_resources
self.regional_clients = generate_regional_clients(self.service, audit_info)
self.metric_filters = []
@@ -125,11 +127,13 @@ class Logs:
)
for page in describe_metric_filters_paginator.paginate():
for filter in page["metricFilters"]:
arn = f"arn:{self.audited_partition}:logs:{regional_client.region}:{self.audited_account}:metric-filter/{filter['filterName']}"
if not self.audit_resources or (
is_resource_filtered(filter["filterName"], self.audit_resources)
is_resource_filtered(arn, self.audit_resources)
):
self.metric_filters.append(
MetricFilter(
arn=arn,
name=filter["filterName"],
metric=filter["metricTransformations"][0]["metricName"],
pattern=filter.get("filterPattern", ""),
@@ -237,6 +241,7 @@ class MetricAlarm(BaseModel):
class MetricFilter(BaseModel):
arn: str
name: str
metric: str
pattern: str

7
prowler/providers/aws/services/dynamodb/dynamodb_service.py
View File

@@ -16,6 +16,7 @@ class DynamoDB:
self.session = audit_info.audit_session
self.audited_account = audit_info.audited_account
self.audit_resources = audit_info.audit_resources
self.audited_partition = audit_info.audited_partition
self.regional_clients = generate_regional_clients(self.service, audit_info)
self.tables = []
self.__threading_call__(self.__list_tables__)
@@ -41,12 +42,13 @@ class DynamoDB:
list_tables_paginator = regional_client.get_paginator("list_tables")
for page in list_tables_paginator.paginate():
for table in page["TableNames"]:
arn = f"arn:{self.audited_partition}:dynamodb:{regional_client.region}:{self.audited_account}:table/{table}"
if not self.audit_resources or (
is_resource_filtered(table, self.audit_resources)
is_resource_filtered(arn, self.audit_resources)
):
self.tables.append(
Table(
arn="",
arn=arn,
name=table,
encryption_type=None,
kms_arn=None,
@@ -66,7 +68,6 @@ class DynamoDB:
properties = regional_client.describe_table(TableName=table.name)[
"Table"
]
table.arn = properties["TableArn"]
if "SSEDescription" in properties:
if "SSEType" in properties["SSEDescription"]:
table.encryption_type = properties["SSEDescription"]["SSEType"]

9
prowler/providers/aws/services/eks/eks_service.py
View File

@@ -14,6 +14,8 @@ class EKS:
self.service = "eks"
self.session = audit_info.audit_session
self.audit_resources = audit_info.audit_resources
self.audited_partition = audit_info.audited_partition
self.audited_account = audit_info.audited_account
self.regional_clients = generate_regional_clients(self.service, audit_info)
self.clusters = []
self.__threading_call__(self.__list_clusters__)
@@ -37,11 +39,13 @@ class EKS:
list_clusters_paginator = regional_client.get_paginator("list_clusters")
for page in list_clusters_paginator.paginate():
for cluster in page["clusters"]:
arn = f"arn:{self.audited_partition}:eks:{regional_client.region}:{self.audited_account}:cluster/{cluster}"
if not self.audit_resources or (
is_resource_filtered(cluster, self.audit_resources)
is_resource_filtered(arn, self.audit_resources)
):
self.clusters.append(
EKSCluster(
arn=arn,
name=cluster,
region=regional_client.region,
)
@@ -58,7 +62,6 @@ class EKS:
for cluster in self.clusters:
regional_client = regional_clients[cluster.region]
describe_cluster = regional_client.describe_cluster(name=cluster.name)
cluster.arn = describe_cluster["cluster"]["arn"]
if "logging" in describe_cluster["cluster"]:
cluster.logging = EKSClusterLoggingEntity(
types=describe_cluster["cluster"]["logging"]["clusterLogging"][
@@ -106,7 +109,7 @@ class EKSClusterLoggingEntity(BaseModel):
class EKSCluster(BaseModel):
name: str
arn: str = None
arn: str
region: str
logging: EKSClusterLoggingEntity = None
endpoint_public_access: bool = None

1
prowler/providers/aws/services/glue/glue_database_connections_ssl_enabled/glue_database_connections_ssl_enabled.py
View File

@@ -8,6 +8,7 @@ class glue_database_connections_ssl_enabled(Check):
for conn in glue_client.connections:
report = Check_Report_AWS(self.metadata())
report.resource_id = conn.name
report.resource_arn = conn.arn
report.region = conn.region
report.status = "FAIL"
report.status_extended = (

1
prowler/providers/aws/services/glue/glue_development_endpoints_cloudwatch_logs_encryption_enabled/glue_development_endpoints_cloudwatch_logs_encryption_enabled.py
View File

@@ -9,6 +9,7 @@ class glue_development_endpoints_cloudwatch_logs_encryption_enabled(Check):
no_sec_configs = True
report = Check_Report_AWS(self.metadata())
report.resource_id = endpoint.name
report.resource_arn = endpoint.arn
report.region = endpoint.region
for sec_config in glue_client.security_configs:
if sec_config.name == endpoint.security:

1
prowler/providers/aws/services/glue/glue_development_endpoints_job_bookmark_encryption_enabled/glue_development_endpoints_job_bookmark_encryption_enabled.py
View File

@@ -9,6 +9,7 @@ class glue_development_endpoints_job_bookmark_encryption_enabled(Check):
no_sec_configs = True
report = Check_Report_AWS(self.metadata())
report.resource_id = endpoint.name
report.resource_arn = endpoint.arn
report.region = endpoint.region
for sec_config in glue_client.security_configs:
if sec_config.name == endpoint.security:

1
prowler/providers/aws/services/glue/glue_development_endpoints_s3_encryption_enabled/glue_development_endpoints_s3_encryption_enabled.py
View File

@@ -9,6 +9,7 @@ class glue_development_endpoints_s3_encryption_enabled(Check):
no_sec_configs = True
report = Check_Report_AWS(self.metadata())
report.resource_id = endpoint.name
report.resource_arn = endpoint.arn
report.region = endpoint.region
for sec_config in glue_client.security_configs:
if sec_config.name == endpoint.security:

1
prowler/providers/aws/services/glue/glue_etl_jobs_amazon_s3_encryption_enabled/glue_etl_jobs_amazon_s3_encryption_enabled.py
View File

@@ -9,6 +9,7 @@ class glue_etl_jobs_amazon_s3_encryption_enabled(Check):
no_sec_configs = True
report = Check_Report_AWS(self.metadata())
report.resource_id = job.name
report.resource_arn = job.arn
report.region = job.region
for sec_config in glue_client.security_configs:
if sec_config.name == job.security:

1
prowler/providers/aws/services/glue/glue_etl_jobs_cloudwatch_logs_encryption_enabled/glue_etl_jobs_cloudwatch_logs_encryption_enabled.py
View File

@@ -9,6 +9,7 @@ class glue_etl_jobs_cloudwatch_logs_encryption_enabled(Check):
no_sec_configs = True
report = Check_Report_AWS(self.metadata())
report.resource_id = job.name
report.resource_arn = job.arn
report.region = job.region
for sec_config in glue_client.security_configs:
if sec_config.name == job.security:

1
prowler/providers/aws/services/glue/glue_etl_jobs_job_bookmark_encryption_enabled/glue_etl_jobs_job_bookmark_encryption_enabled.py
View File

@@ -9,6 +9,7 @@ class glue_etl_jobs_job_bookmark_encryption_enabled(Check):
no_sec_configs = True
report = Check_Report_AWS(self.metadata())
report.resource_id = job.name
report.resource_arn = job.arn
report.region = job.region
for sec_config in glue_client.security_configs:
if sec_config.name == job.security:

23
prowler/providers/aws/services/glue/glue_service.py
View File

@@ -15,6 +15,7 @@ class Glue:
self.session = audit_info.audit_session
self.audited_account = audit_info.audited_account
self.audit_resources = audit_info.audit_resources
self.audited_partition = audit_info.audited_account
self.regional_clients = generate_regional_clients(self.service, audit_info)
self.connections = []
self.__threading_call__(self.__get_connections__)
@@ -47,11 +48,13 @@ class Glue:
get_connections_paginator = regional_client.get_paginator("get_connections")
for page in get_connections_paginator.paginate():
for conn in page["ConnectionList"]:
arn = f"arn:{self.audited_partition}:glue:{regional_client.region}:{self.audited_account}:connection/{conn['Name']}"
if not self.audit_resources or (
is_resource_filtered(conn["Name"], self.audit_resources)
is_resource_filtered(arn, self.audit_resources)
):
self.connections.append(
Connection(
arn=arn,
name=conn["Name"],
type=conn["ConnectionType"],
properties=conn["ConnectionProperties"],
@@ -71,13 +74,13 @@ class Glue:
)
for page in get_dev_endpoints_paginator.paginate():
for endpoint in page["DevEndpoints"]:
arn = f"arn:{self.audited_partition}:glue:{regional_client.region}:{self.audited_account}:devEndpoint/{endpoint['EndpointName']}"
if not self.audit_resources or (
is_resource_filtered(
endpoint["EndpointName"], self.audit_resources
)
is_resource_filtered(arn, self.audit_resources)
):
self.dev_endpoints.append(
DevEndpoint(
arn=arn,
name=endpoint["EndpointName"],
security=endpoint.get("SecurityConfiguration"),
region=regional_client.region,
@@ -94,12 +97,14 @@ class Glue:
get_jobs_paginator = regional_client.get_paginator("get_jobs")
for page in get_jobs_paginator.paginate():
for job in page["Jobs"]:
arn = f"arn:{self.audited_partition}:glue:{regional_client.region}:{self.audited_account}:job/{job['Name']}"
if not self.audit_resources or (
is_resource_filtered(job["Name"], self.audit_resources)
is_resource_filtered(arn, self.audit_resources)
):
self.jobs.append(
Job(
name=job["Name"],
arn=arn,
security=job.get("SecurityConfiguration"),
arguments=job.get("DefaultArguments"),
region=regional_client.region,
@@ -154,11 +159,13 @@ class Glue:
logger.info("Glue - Search Tables...")
try:
for table in regional_client.search_tables()["TableList"]:
arn = f"arn:{self.audited_partition}:glue:{regional_client.region}:{self.audited_account}:table/{table['DatabaseName']}/{table['Name']}"
if not self.audit_resources or (
is_resource_filtered(table["Name"], self.audit_resources)
is_resource_filtered(arn, self.audit_resources)
):
self.tables.append(
Table(
arn=arn,
name=table["Name"],
database=table["DatabaseName"],
catalog=table["CatalogId"],
@@ -197,6 +204,7 @@ class Glue:
class Connection(BaseModel):
name: str
arn: str
type: str
properties: dict
region: str
@@ -204,6 +212,7 @@ class Connection(BaseModel):
class Table(BaseModel):
name: str
arn: str
database: str
catalog: Optional[str]
region: str
@@ -219,11 +228,13 @@ class CatalogEncryptionSetting(BaseModel):
class DevEndpoint(BaseModel):
name: str
arn: str
security: Optional[str]
region: str
class Job(BaseModel):
arn: str
name: str
security: Optional[str]
arguments: Optional[dict]

4
prowler/providers/aws/services/guardduty/guardduty_service.py
View File

@@ -43,10 +43,10 @@ class GuardDuty:
list_detectors_paginator = regional_client.get_paginator("list_detectors")
for page in list_detectors_paginator.paginate():
for detector in page["DetectorIds"]:
arn = f"arn:{self.audited_partition}:guardduty:{regional_client.region}:{self.audited_account}:detector/{detector}"
if not self.audit_resources or (
is_resource_filtered(detector, self.audit_resources)
is_resource_filtered(arn, self.audit_resources)
):
arn = f"arn:{self.audited_partition}:guardduty:{regional_client.region}:{self.audited_account}:detector/{detector}"
self.detectors.append(
Detector(
id=detector, arn=arn, region=regional_client.region

6
prowler/providers/aws/services/inspector2/inspector2_service.py
View File

@@ -70,11 +70,13 @@ class Inspector2:
for page in list_findings_paginator.paginate():
for finding in page["findings"]:
if not self.audit_resources or (
is_resource_filtered(finding, self.audit_resources)
is_resource_filtered(
finding["findingArn"], self.audit_resources
)
):
inspector.findings.append(
InspectorFinding(
arn=finding.get("findingArn"),
arn=finding["findingArn"],
region=regional_client.region,
severity=finding.get("severity"),
status=finding.get("status"),

2
prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py
View File

@@ -12,7 +12,7 @@ class networkfirewall_in_all_vpc(Check):
report = Check_Report_AWS(self.metadata())
report.region = vpc.region
report.resource_id = vpc.id
report.resource_arn = ""
report.resource_arn = vpc.arn
report.resource_tags = vpc.tags
report.status = "FAIL"
report.status_extended = (

9
prowler/providers/aws/services/opensearch/opensearch_service.py
View File

@@ -15,6 +15,8 @@ class OpenSearchService:
self.service = "opensearch"
self.session = audit_info.audit_session
self.audit_resources = audit_info.audit_resources
self.audited_partition = audit_info.audited_partition
self.audited_account = audit_info.audited_account
self.regional_clients = generate_regional_clients(self.service, audit_info)
self.opensearch_domains = []
self.__threading_call__(self.__list_domain_names__)
@@ -39,12 +41,15 @@ class OpenSearchService:
try:
domains = regional_client.list_domain_names()
for domain in domains["DomainNames"]:
arn = f"arn:{self.audited_partition}:opensearch:{regional_client.region}:{self.audited_account}:domain/{domain['DomainName']}"
if not self.audit_resources or (
is_resource_filtered(domain["DomainName"], self.audit_resources)
is_resource_filtered(arn, self.audit_resources)
):
self.opensearch_domains.append(
OpenSearchDomain(
name=domain["DomainName"], region=regional_client.region
arn=arn,
name=domain["DomainName"],
region=regional_client.region,
)
)
except Exception as error:

25
prowler/providers/aws/services/rds/rds_service.py
View File

@@ -52,16 +52,15 @@ class RDS:
)
for page in describe_db_instances_paginator.paginate():
for instance in page["DBInstances"]:
arn = f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:db:{instance['DBInstanceIdentifier']}"
if not self.audit_resources or (
is_resource_filtered(
instance["DBInstanceIdentifier"], self.audit_resources
)
is_resource_filtered(arn, self.audit_resources)
):
if instance["Engine"] != "docdb":
self.db_instances.append(
DBInstance(
id=instance["DBInstanceIdentifier"],
arn=f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:db:{instance['DBInstanceIdentifier']}",
arn=arn,
endpoint=instance.get("Endpoint"),
engine=instance["Engine"],
engine_version=instance["EngineVersion"],
@@ -125,16 +124,15 @@ class RDS:
)
for page in describe_db_snapshots_paginator.paginate():
for snapshot in page["DBSnapshots"]:
arn = f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:snapshot:{snapshot['DBSnapshotIdentifier']}"
if not self.audit_resources or (
is_resource_filtered(
snapshot["DBSnapshotIdentifier"], self.audit_resources
)
is_resource_filtered(arn, self.audit_resources)
):
if snapshot["Engine"] != "docdb":
self.db_snapshots.append(
DBSnapshot(
id=snapshot["DBSnapshotIdentifier"],
arn=f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:snapshot:{snapshot['DBSnapshotIdentifier']}",
arn=arn,
instance_id=snapshot["DBInstanceIdentifier"],
region=regional_client.region,
tags=snapshot.get("TagList", []),
@@ -175,13 +173,11 @@ class RDS:
)
for page in describe_db_clusters_paginator.paginate():
for cluster in page["DBClusters"]:
db_cluster_arn = f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:cluster:{cluster['DBClusterIdentifier']}"
if not self.audit_resources or (
is_resource_filtered(
cluster["DBClusterIdentifier"], self.audit_resources
)
is_resource_filtered(db_cluster_arn, self.audit_resources)
):
if cluster["Engine"] != "docdb":
db_cluster_arn = f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:cluster:{cluster['DBClusterIdentifier']}"
db_cluster = DBCluster(
id=cluster["DBClusterIdentifier"],
arn=db_cluster_arn,
@@ -220,9 +216,10 @@ class RDS:
)
for page in describe_db_snapshots_paginator.paginate():
for snapshot in page["DBClusterSnapshots"]:
arn = f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:cluster-snapshot:{snapshot['DBClusterSnapshotIdentifier']}"
if not self.audit_resources or (
is_resource_filtered(
snapshot["DBClusterSnapshotIdentifier"],
arn,
self.audit_resources,
)
):
@@ -230,7 +227,7 @@ class RDS:
self.db_cluster_snapshots.append(
ClusterSnapshot(
id=snapshot["DBClusterSnapshotIdentifier"],
arn=f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:cluster-snapshot:{snapshot['DBClusterSnapshotIdentifier']}",
arn=arn,
cluster_id=snapshot["DBClusterIdentifier"],
region=regional_client.region,
tags=snapshot.get("TagList", []),

8
prowler/providers/aws/services/redshift/redshift_service.py
View File

@@ -14,6 +14,8 @@ class Redshift:
self.service = "redshift"
self.session = audit_info.audit_session
self.audit_resources = audit_info.audit_resources
self.audited_partition = audit_info.audited_partition
self.audited_account = audit_info.audited_account
self.regional_clients = generate_regional_clients(self.service, audit_info)
self.clusters = []
self.__threading_call__(self.__describe_clusters__)
@@ -38,12 +40,12 @@ class Redshift:
list_clusters_paginator = regional_client.get_paginator("describe_clusters")
for page in list_clusters_paginator.paginate():
for cluster in page["Clusters"]:
arn = f"arn:{self.audited_partition}:redshift:{regional_client.region}:{self.audited_account}:cluster:{cluster['ClusterIdentifier']}"
if not self.audit_resources or (
is_resource_filtered(
cluster["ClusterIdentifier"], self.audit_resources
)
is_resource_filtered(arn, self.audit_resources)
):
cluster_to_append = Cluster(
arn=arn,
id=cluster["ClusterIdentifier"],
region=regional_client.region,
tags=cluster.get("Tags"),

8
prowler/providers/aws/services/sqs/sqs_service.py
View File

@@ -15,6 +15,8 @@ class SQS:
self.service = "sqs"
self.session = audit_info.audit_session
self.audit_resources = audit_info.audit_resources
self.audited_account = audit_info.audited_account
self.audited_partition = audit_info.audited_partition
self.regional_clients = generate_regional_clients(self.service, audit_info)
self.queues = []
self.__threading_call__(self.__list_queues__)
@@ -40,11 +42,13 @@ class SQS:
for page in list_queues_paginator.paginate():
if "QueueUrls" in page:
for queue in page["QueueUrls"]:
arn = f"arn:{self.audited_partition}:sqs:{regional_client.region}:{self.audited_account}:{queue}"
if not self.audit_resources or (
is_resource_filtered(queue, self.audit_resources)
is_resource_filtered(arn, self.audit_resources)
):
self.queues.append(
Queue(
arn=arn,
id=queue,
region=regional_client.region,
)
@@ -98,7 +102,7 @@ class SQS:
class Queue(BaseModel):
id: str
arn: str = ""
arn: str
region: str
policy: dict = None
kms_key_id: str = None

6
prowler/providers/aws/services/ssm/ssm_service.py
View File

@@ -58,11 +58,11 @@ class SSM:
list_documents_paginator = regional_client.get_paginator("list_documents")
for page in list_documents_paginator.paginate(**list_documents_parameters):
for document in page["DocumentIdentifiers"]:
document_name = document["Name"]
document_arn = f"arn:{self.audited_partition}:ssm:{regional_client.region}:{self.audited_account}:document/{document_name}"
if not self.audit_resources or (
is_resource_filtered(document["Name"], self.audit_resources)
is_resource_filtered(document_arn, self.audit_resources)
):
document_name = document["Name"]
document_arn = f"arn:{self.audited_partition}:ssm:{regional_client.region}:{self.audited_account}:document/{document_name}"
# We must use the Document ARN as the dict key to have unique keys
self.documents[document_arn] = Document(
arn=document_arn,

4
prowler/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries.py
View File

@@ -18,6 +18,7 @@ class vpc_endpoint_connections_trust_boundaries(Check):
report.status = "FAIL"
report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} has full access."
report.resource_id = endpoint.id
report.resource_arn = endpoint.arn
report.resource_tags = endpoint.tags
findings.append(report)
break
@@ -34,6 +35,7 @@ class vpc_endpoint_connections_trust_boundaries(Check):
report.status = "FAIL"
report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} has full access."
report.resource_id = endpoint.id
report.resource_arn = endpoint.arn
report.resource_tags = endpoint.tags
else:
account_id = principal_arn.split(":")[4]
@@ -44,11 +46,13 @@ class vpc_endpoint_connections_trust_boundaries(Check):
report.status = "PASS"
report.status_extended = f"Found trusted account {account_id} in VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id}."
report.resource_id = endpoint.id
report.resource_arn = endpoint.arn
report.resource_tags = endpoint.tags
else:
report.status = "FAIL"
report.status_extended = f"Found untrusted account {account_id} in VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id}."
report.resource_id = endpoint.id
report.resource_arn = endpoint.arn
report.resource_tags = endpoint.tags
findings.append(report)

3
prowler/providers/aws/services/vpc/vpc_endpoint_services_allowed_principals_trust_boundaries/vpc_endpoint_services_allowed_principals_trust_boundaries.py
View File

@@ -17,6 +17,7 @@ class vpc_endpoint_services_allowed_principals_trust_boundaries(Check):
f"VPC Endpoint Service {service.id} has no allowed principals."
)
report.resource_id = service.id
report.resource_arn = service.arn
report.resource_tags = service.tags
findings.append(report)
else:
@@ -31,11 +32,13 @@ class vpc_endpoint_services_allowed_principals_trust_boundaries(Check):
report.status = "PASS"
report.status_extended = f"Found trusted account {account_id} in VPC Endpoint Service {service.id}."
report.resource_id = service.id
report.resource_arn = service.arn
report.resource_tags = service.tags
else:
report.status = "FAIL"
report.status_extended = f"Found untrusted account {account_id} in VPC Endpoint Service {service.id}."
report.resource_id = service.id
report.resource_arn = service.arn
report.resource_tags = service.tags
findings.append(report)

10
prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py
View File

@@ -9,14 +9,14 @@ class vpc_flow_logs_enabled(Check):
report = Check_Report_AWS(self.metadata())
report.region = vpc.region
report.resource_tags = vpc.tags
report.resource_id = vpc.id
report.resource_arn = vpc.arn
report.status = "FAIL"
report.status_extended = f"VPC {vpc.id} Flow logs are disabled."
if vpc.flow_log:
report.status = "PASS"
report.status_extended = f"VPC {vpc.id} Flow logs are enabled."
report.resource_id = vpc.id
else:
report.status = "FAIL"
report.status_extended = f"VPC {vpc.id} Flow logs are disabled."
report.resource_id = vpc.id
findings.append(report)
return findings

12
prowler/providers/aws/services/vpc/vpc_peering_routing_tables_with_least_privilege/vpc_peering_routing_tables_with_least_privilege.py
View File

@@ -9,6 +9,12 @@ class vpc_peering_routing_tables_with_least_privilege(Check):
report = Check_Report_AWS(self.metadata())
report.region = peer.region
report.resource_tags = peer.tags
report.resource_id = peer.id
report.resource_arn = peer.arn
report.status = "PASS"
report.status_extended = (
f"VPC Peering Connection {peer.id} comply with least privilege access."
)
comply = True
# Check each cidr in the peering route table
for route_table in peer.route_tables:
@@ -22,11 +28,7 @@ class vpc_peering_routing_tables_with_least_privilege(Check):
if not comply:
report.status = "FAIL"
report.status_extended = f"VPC Peering Connection {peer.id} does not comply with least privilege access since it accepts whole VPCs CIDR in its route tables."
report.resource_id = peer.id
else:
report.status = "PASS"
report.status_extended = f"VPC Peering Connection {peer.id} comply with least privilege access."
report.resource_id = peer.id
findings.append(report)
return findings

31
prowler/providers/aws/services/vpc/vpc_service.py
View File

@@ -16,6 +16,7 @@ class VPC:
self.session = audit_info.audit_session
self.audited_account = audit_info.audited_account
self.audit_resources = audit_info.audit_resources
self.audited_partition = audit_info.audited_partition
self.regional_clients = generate_regional_clients(self.service, audit_info)
self.vpcs = {}
self.vpc_peering_connections = []
@@ -54,10 +55,12 @@ class VPC:
describe_vpcs_paginator = regional_client.get_paginator("describe_vpcs")
for page in describe_vpcs_paginator.paginate():
for vpc in page["Vpcs"]:
arn = f"arn:{self.audited_partition}:ec2:{regional_client.region}:{self.audited_account}:vpc/{vpc['VpcId']}"
if not self.audit_resources or (
is_resource_filtered(vpc["VpcId"], self.audit_resources)
is_resource_filtered(arn, self.audit_resources)
):
self.vpcs[vpc["VpcId"]] = VPCs(
arn=arn,
id=vpc["VpcId"],
default=vpc["IsDefault"],
cidr_block=vpc["CidrBlock"],
@@ -77,14 +80,14 @@ class VPC:
)
for page in describe_vpc_peering_connections_paginator.paginate():
for conn in page["VpcPeeringConnections"]:
arn = f"arn:{self.audited_partition}:ec2:{regional_client.region}:{self.audited_account}:vpc-peering-connection/{conn['VpcPeeringConnectionId']}"
if not self.audit_resources or (
is_resource_filtered(
conn["VpcPeeringConnectionId"], self.audit_resources
)
is_resource_filtered(arn, self.audit_resources)
):
conn["AccepterVpcInfo"]["CidrBlock"] = None
self.vpc_peering_connections.append(
VpcPeeringConnection(
arn=arn,
id=conn["VpcPeeringConnectionId"],
accepter_vpc=conn["AccepterVpcInfo"]["VpcId"],
accepter_cidr=conn["AccepterVpcInfo"].get("CidrBlock"),
@@ -166,16 +169,16 @@ class VPC:
)
for page in describe_vpc_endpoints_paginator.paginate():
for endpoint in page["VpcEndpoints"]:
arn = f"arn:{self.audited_partition}:ec2:{regional_client.region}:{self.audited_account}:vpc-endpoint/{endpoint['VpcEndpointId']}"
if not self.audit_resources or (
is_resource_filtered(
endpoint["VpcEndpointId"], self.audit_resources
)
is_resource_filtered(arn, self.audit_resources)
):
endpoint_policy = None
if endpoint.get("PolicyDocument"):
endpoint_policy = json.loads(endpoint["PolicyDocument"])
self.vpc_endpoints.append(
VpcEndpoint(
arn=arn,
id=endpoint["VpcEndpointId"],
vpc_id=endpoint["VpcId"],
state=endpoint["State"],
@@ -199,13 +202,13 @@ class VPC:
for page in describe_vpc_endpoint_services_paginator.paginate():
for endpoint in page["ServiceDetails"]:
if endpoint["Owner"] != "amazon":
arn = f"arn:{self.audited_partition}:ec2:{regional_client.region}:{self.audited_account}:vpc-endpoint-service/{endpoint['ServiceId']}"
if not self.audit_resources or (
is_resource_filtered(
endpoint["ServiceId"], self.audit_resources
)
is_resource_filtered(arn, self.audit_resources)
):
self.vpc_endpoint_services.append(
VpcEndpointService(
arn=arn,
id=endpoint["ServiceId"],
service=endpoint["ServiceName"],
owner_id=endpoint["Owner"],
@@ -245,7 +248,7 @@ class VPC:
for page in describe_subnets_paginator.paginate():
for subnet in page["Subnets"]:
if not self.audit_resources or (
is_resource_filtered(subnet["SubnetId"], self.audit_resources)
is_resource_filtered(subnet["SubnetArn"], self.audit_resources)
):
try:
# Check the route table associated with the subnet to see if it's public
@@ -285,6 +288,7 @@ class VPC:
nat_gateway = True
# Add it to to list of vpc_subnets and to the VPC object
object = VpcSubnet(
arn=subnet["SubnetArn"],
id=subnet["SubnetId"],
default=subnet["DefaultForAz"],
vpc_id=subnet["VpcId"],
@@ -312,6 +316,7 @@ class VPC:
class VpcSubnet(BaseModel):
arn: str
id: str
default: bool
vpc_id: str
@@ -325,6 +330,7 @@ class VpcSubnet(BaseModel):
class VPCs(BaseModel):
arn: str
id: str
default: bool
cidr_block: str
@@ -340,6 +346,7 @@ class Route(BaseModel):
class VpcPeeringConnection(BaseModel):
arn: str
id: str
accepter_vpc: str
accepter_cidr: Optional[str]
@@ -351,6 +358,7 @@ class VpcPeeringConnection(BaseModel):
class VpcEndpoint(BaseModel):
arn: str
id: str
vpc_id: str
state: str
@@ -361,6 +369,7 @@ class VpcEndpoint(BaseModel):
class VpcEndpointService(BaseModel):
arn: str
id: str
service: str
owner_id: str

1
prowler/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az.py
View File

@@ -12,6 +12,7 @@ class vpc_subnet_different_az(Check):
report.status = "FAIL"
report.status_extended = f"VPC {vpc.id} has no subnets."
report.resource_id = vpc.id
report.resource_arn = vpc.arn
if vpc.subnets:
availability_zone = None
for subnet in vpc.subnets:

2
prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py
View File

@@ -11,7 +11,7 @@ class vpc_subnet_no_public_ip_by_default(Check):
report.region = subnet.region
report.resource_tags = subnet.tags
report.resource_id = subnet.id
report.resource_arn = subnet.arn
if subnet.mapPublicIpOnLaunch:
report.status = "FAIL"
report.status_extended = (

1
prowler/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public.py
View File

@@ -12,6 +12,7 @@ class vpc_subnet_separate_private_public(Check):
report.status = "FAIL"
report.status_extended = f"VPC {vpc.id} has no subnets."
report.resource_id = vpc.id
report.resource_arn = vpc.arn
if vpc.subnets:
public = False
private = False

8
prowler/providers/aws/services/workspaces/workspaces_service.py
View File

@@ -14,6 +14,8 @@ class WorkSpaces:
self.service = "workspaces"
self.session = audit_info.audit_session
self.audit_resources = audit_info.audit_resources
self.audited_partition = audit_info.audited_partition
self.audited_account = audit_info.audited_account
self.regional_clients = generate_regional_clients(self.service, audit_info)
self.workspaces = []
self.__threading_call__(self.__describe_workspaces__)
@@ -39,12 +41,12 @@ class WorkSpaces:
)
for page in describe_workspaces_paginator.paginate():
for workspace in page["Workspaces"]:
arn = f"arn:{self.audited_partition}:workspaces:{regional_client.region}:{self.audited_account}:workspace/{workspace['WorkspaceId']}"
if not self.audit_resources or (
is_resource_filtered(
workspace["WorkspaceId"], self.audit_resources
)
is_resource_filtered(arn, self.audit_resources)
):
workspace_to_append = WorkSpace(
arn=arn,
id=workspace.get("WorkspaceId"),
region=regional_client.region,
subnet_id=workspace.get("SubnetId"),

4
tests/providers/aws/services/apigateway/apigateway_authorizers_enabled/apigateway_authorizers_enabled_test.py
View File

@@ -120,7 +120,7 @@ class Test_apigateway_authorizers_enabled:
assert result[0].resource_id == "test-rest-api"
assert (
result[0].resource_arn
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}"
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}"
)
@mock_apigateway
@@ -161,5 +161,5 @@ class Test_apigateway_authorizers_enabled:
assert result[0].resource_id == "test-rest-api"
assert (
result[0].resource_arn
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}"
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}"
)

6
tests/providers/aws/services/apigateway/apigateway_client_certificate_enabled/apigateway_client_certificate_enabled_test.py
View File

@@ -130,7 +130,7 @@ class Test_apigateway_client_certificate_enabled:
assert result[0].resource_id == "test-rest-api"
assert (
result[0].resource_arn
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}/stages/test"
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}/stages/test"
)
@mock_apigateway
@@ -162,7 +162,7 @@ class Test_apigateway_client_certificate_enabled:
service_client.rest_apis[0].stages.append(
Stage(
name="test",
arn=f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/test-rest-api/stages/test",
arn=f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/test-rest-api/stages/test",
logging=True,
client_certificate=True,
waf=True,
@@ -181,5 +181,5 @@ class Test_apigateway_client_certificate_enabled:
assert result[0].resource_id == "test-rest-api"
assert (
result[0].resource_arn
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/test-rest-api/stages/test"
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/test-rest-api/stages/test"
)

4
tests/providers/aws/services/apigateway/apigateway_endpoint_public/apigateway_endpoint_public_test.py
View File

@@ -101,7 +101,7 @@ class Test_apigateway_endpoint_public:
assert result[0].resource_id == "test-rest-api"
assert (
result[0].resource_arn
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}"
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}"
)
@mock_apigateway
@@ -147,5 +147,5 @@ class Test_apigateway_endpoint_public:
assert result[0].resource_id == "test-rest-api"
assert (
result[0].resource_arn
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}"
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}"
)

4
tests/providers/aws/services/apigateway/apigateway_logging_enabled/apigateway_logging_enabled_test.py
View File

@@ -133,7 +133,7 @@ class Test_apigateway_logging_enabled:
assert result[0].resource_id == "test-rest-api"
assert (
result[0].resource_arn
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}/stages/test"
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}/stages/test"
)
@mock_apigateway
@@ -202,5 +202,5 @@ class Test_apigateway_logging_enabled:
assert result[0].resource_id == "test-rest-api"
assert (
result[0].resource_arn
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}/stages/test"
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}/stages/test"
)

4
tests/providers/aws/services/apigateway/apigateway_waf_acl_attached/apigateway_waf_acl_attached_test.py
View File

@@ -139,7 +139,7 @@ class Test_apigateway_waf_acl_attached:
assert result[0].resource_id == "test-rest-api"
assert (
result[0].resource_arn
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}/stages/test"
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}/stages/test"
)
@mock_apigateway
@@ -208,5 +208,5 @@ class Test_apigateway_waf_acl_attached:
assert result[0].resource_id == "test-rest-api"
assert (
result[0].resource_arn
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}/stages/test"
== f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}/stages/test"
)

4
tests/providers/aws/services/glue/glue_database_connections_ssl_enabled/glue_database_connections_ssl_enabled_test.py
View File

@@ -38,6 +38,7 @@ class Test_glue_database_connections_ssl_enabled:
"CONNECTOR_CLASS_NAME": "test",
},
region=AWS_REGION,
arn="arn_test",
)
]
@@ -60,6 +61,7 @@ class Test_glue_database_connections_ssl_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"
def test_glue_table_with_SSL(self):
glue_client = mock.MagicMock
@@ -75,6 +77,7 @@ class Test_glue_database_connections_ssl_enabled:
"JDBC_ENFORCE_SSL": "true",
},
region=AWS_REGION,
arn="arn_test",
)
]
@@ -97,3 +100,4 @@ class Test_glue_database_connections_ssl_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"

6
tests/providers/aws/services/glue/glue_development_endpoints_cloudwatch_logs_encryption_enabled/glue_development_endpoints_cloudwatch_logs_encryption_enabled_test.py
View File

@@ -32,6 +32,7 @@ class Test_glue_development_endpoints_cloudwatch_logs_encryption_enabled:
name="test",
security="sec_config",
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = [
@@ -64,6 +65,7 @@ class Test_glue_development_endpoints_cloudwatch_logs_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"
def test_glue_unencrypted_endpoint(self):
glue_client = mock.MagicMock
@@ -72,6 +74,7 @@ class Test_glue_development_endpoints_cloudwatch_logs_encryption_enabled:
name="test",
security="sec_config",
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = [
@@ -103,6 +106,7 @@ class Test_glue_development_endpoints_cloudwatch_logs_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"
def test_glue_no_sec_configs(self):
glue_client = mock.MagicMock
@@ -111,6 +115,7 @@ class Test_glue_development_endpoints_cloudwatch_logs_encryption_enabled:
name="test",
security="sec_config",
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = []
@@ -134,3 +139,4 @@ class Test_glue_development_endpoints_cloudwatch_logs_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"

6
tests/providers/aws/services/glue/glue_development_endpoints_job_bookmark_encryption_enabled/glue_development_endpoints_job_bookmark_encryption_enabled_test.py
View File

@@ -32,6 +32,7 @@ class Test_glue_development_endpoints_job_bookmark_encryption_enabled:
name="test",
security="sec_config",
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = [
@@ -64,6 +65,7 @@ class Test_glue_development_endpoints_job_bookmark_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"
def test_glue_unencrypted_endpoint(self):
glue_client = mock.MagicMock
@@ -72,6 +74,7 @@ class Test_glue_development_endpoints_job_bookmark_encryption_enabled:
name="test",
security="sec_config",
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = [
@@ -103,6 +106,7 @@ class Test_glue_development_endpoints_job_bookmark_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"
def test_glue_no_sec_configs(self):
glue_client = mock.MagicMock
@@ -111,6 +115,7 @@ class Test_glue_development_endpoints_job_bookmark_encryption_enabled:
name="test",
security="sec_config",
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = []
@@ -134,3 +139,4 @@ class Test_glue_development_endpoints_job_bookmark_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"

6
tests/providers/aws/services/glue/glue_development_endpoints_s3_encryption_enabled/glue_development_endpoints_s3_encryption_enabled_test.py
View File

@@ -32,6 +32,7 @@ class Test_glue_development_endpoints_s3_encryption_enabled:
name="test",
security="sec_config",
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = [
@@ -64,6 +65,7 @@ class Test_glue_development_endpoints_s3_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"
def test_glue_unencrypted_endpoint(self):
glue_client = mock.MagicMock
@@ -72,6 +74,7 @@ class Test_glue_development_endpoints_s3_encryption_enabled:
name="test",
security="sec_config",
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = [
@@ -103,6 +106,7 @@ class Test_glue_development_endpoints_s3_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"
def test_glue_no_sec_configs(self):
glue_client = mock.MagicMock
@@ -111,6 +115,7 @@ class Test_glue_development_endpoints_s3_encryption_enabled:
name="test",
security="sec_config",
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = []
@@ -134,3 +139,4 @@ class Test_glue_development_endpoints_s3_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"

8
tests/providers/aws/services/glue/glue_etl_jobs_amazon_s3_encryption_enabled/glue_etl_jobs_amazon_s3_encryption_enabled_test.py
View File

@@ -33,6 +33,7 @@ class Test_glue_etl_jobs_amazon_s3_encryption_enabled:
security="sec_config",
arguments=None,
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = [
@@ -65,6 +66,7 @@ class Test_glue_etl_jobs_amazon_s3_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"
def test_glue_unencrypted_job(self):
glue_client = mock.MagicMock
@@ -74,6 +76,7 @@ class Test_glue_etl_jobs_amazon_s3_encryption_enabled:
security="sec_config",
arguments=None,
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = [
@@ -105,6 +108,7 @@ class Test_glue_etl_jobs_amazon_s3_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"
def test_glue_no_sec_configs(self):
glue_client = mock.MagicMock
@@ -113,6 +117,7 @@ class Test_glue_etl_jobs_amazon_s3_encryption_enabled:
name="test",
security="sec_config",
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = []
@@ -136,6 +141,7 @@ class Test_glue_etl_jobs_amazon_s3_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"
def test_glue_encrypted_job_with_argument(self):
glue_client = mock.MagicMock
@@ -148,6 +154,7 @@ class Test_glue_etl_jobs_amazon_s3_encryption_enabled:
"--enable-job-insights": "false",
},
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = []
@@ -171,3 +178,4 @@ class Test_glue_etl_jobs_amazon_s3_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"

6
tests/providers/aws/services/glue/glue_etl_jobs_cloudwatch_logs_encryption_enabled/glue_etl_jobs_cloudwatch_logs_encryption_enabled_test.py
View File

@@ -33,6 +33,7 @@ class Test_glue_etl_jobs_cloudwatch_logs_encryption_enabled:
security="sec_config",
arguments=None,
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = [
@@ -65,6 +66,7 @@ class Test_glue_etl_jobs_cloudwatch_logs_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"
def test_glue_unencrypted_job(self):
glue_client = mock.MagicMock
@@ -74,6 +76,7 @@ class Test_glue_etl_jobs_cloudwatch_logs_encryption_enabled:
security="sec_config",
arguments=None,
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = [
@@ -105,6 +108,7 @@ class Test_glue_etl_jobs_cloudwatch_logs_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"
def test_glue_no_sec_configs(self):
glue_client = mock.MagicMock
@@ -113,6 +117,7 @@ class Test_glue_etl_jobs_cloudwatch_logs_encryption_enabled:
name="test",
security="sec_config",
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = []
@@ -136,3 +141,4 @@ class Test_glue_etl_jobs_cloudwatch_logs_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"

6
tests/providers/aws/services/glue/glue_etl_jobs_job_bookmark_encryption_enabled/glue_etl_jobs_job_bookmark_encryption_enabled_test.py
View File

@@ -33,6 +33,7 @@ class Test_glue_etl_jobs_job_bookmark_encryption_enabled:
security="sec_config",
arguments=None,
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = [
@@ -65,6 +66,7 @@ class Test_glue_etl_jobs_job_bookmark_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"
def test_glue_unencrypted_job(self):
glue_client = mock.MagicMock
@@ -74,6 +76,7 @@ class Test_glue_etl_jobs_job_bookmark_encryption_enabled:
security="sec_config",
arguments=None,
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = [
@@ -105,6 +108,7 @@ class Test_glue_etl_jobs_job_bookmark_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"
def test_glue_no_sec_configs(self):
glue_client = mock.MagicMock
@@ -113,6 +117,7 @@ class Test_glue_etl_jobs_job_bookmark_encryption_enabled:
name="test",
security="sec_config",
region=AWS_REGION,
arn="arn_test",
)
]
glue_client.security_configs = []
@@ -136,3 +141,4 @@ class Test_glue_etl_jobs_job_bookmark_encryption_enabled:
result[0].status_extended,
)
assert result[0].resource_id == "test"
assert result[0].resource_arn == "arn_test"

16
tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py
View File

@@ -97,9 +97,11 @@ class Test_networkfirewall_in_all_vpc:
cidr_block="192.168.0.0/16",
flow_log=False,
region=AWS_REGION,
arn="arn_test",
subnets=[
VpcSubnet(
id="subnet-123456789",
arn="arn_test",
default=False,
vpc_id=VPC_ID_PROTECTED,
cidr_block="192.168.0.0/24",
@@ -146,7 +148,7 @@ class Test_networkfirewall_in_all_vpc:
assert result[0].region == AWS_REGION
assert result[0].resource_id == VPC_ID_PROTECTED
assert result[0].resource_tags == []
assert result[0].resource_arn == ""
assert result[0].resource_arn == "arn_test"
def test_vpcs_without_firewall(self):
networkfirewall_client = mock.MagicMock
@@ -161,9 +163,11 @@ class Test_networkfirewall_in_all_vpc:
cidr_block="192.168.0.0/16",
flow_log=False,
region=AWS_REGION,
arn="arn_test",
subnets=[
VpcSubnet(
id="subnet-123456789",
arn="arn_test",
default=False,
vpc_id=VPC_ID_UNPROTECTED,
cidr_block="192.168.0.0/24",
@@ -210,7 +214,7 @@ class Test_networkfirewall_in_all_vpc:
assert result[0].region == AWS_REGION
assert result[0].resource_id == VPC_ID_UNPROTECTED
assert result[0].resource_tags == []
assert result[0].resource_arn == ""
assert result[0].resource_arn == "arn_test"
def test_vpcs_with_and_without_firewall(self):
networkfirewall_client = mock.MagicMock
@@ -235,9 +239,11 @@ class Test_networkfirewall_in_all_vpc:
cidr_block="192.168.0.0/16",
flow_log=False,
region=AWS_REGION,
arn="arn_test",
subnets=[
VpcSubnet(
id="subnet-123456789",
arn="arn_test",
default=False,
vpc_id=VPC_ID_UNPROTECTED,
cidr_block="192.168.0.0/24",
@@ -257,9 +263,11 @@ class Test_networkfirewall_in_all_vpc:
cidr_block="192.168.0.0/16",
flow_log=False,
region=AWS_REGION,
arn="arn_test",
subnets=[
VpcSubnet(
id="subnet-123456789",
arn="arn_test",
default=False,
vpc_id=VPC_ID_PROTECTED,
cidr_block="192.168.0.0/24",
@@ -308,7 +316,7 @@ class Test_networkfirewall_in_all_vpc:
assert r.region == AWS_REGION
assert r.resource_id == VPC_ID_PROTECTED
assert r.resource_tags == []
assert r.resource_arn == ""
assert r.resource_arn == "arn_test"
if r.resource_id == VPC_ID_UNPROTECTED:
assert r.status == "FAIL"
assert (
@@ -318,4 +326,4 @@ class Test_networkfirewall_in_all_vpc:
assert r.region == AWS_REGION
assert r.resource_id == VPC_ID_UNPROTECTED
assert r.resource_tags == []
assert r.resource_arn == ""
assert r.resource_arn == "arn_test"

25
tests/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible_test.py
View File

@@ -77,7 +77,12 @@ class Test_sqs_queues_not_publicly_accessible:
sqs_client = mock.MagicMock
sqs_client.queues = []
sqs_client.queues.append(
Queue(id=queue_id, region=AWS_REGION, policy=test_restricted_policy)
Queue(
id=queue_id,
region=AWS_REGION,
policy=test_restricted_policy,
arn="arn_test",
)
)
with mock.patch(
"prowler.providers.aws.services.sqs.sqs_service.SQS",
@@ -93,13 +98,18 @@ class Test_sqs_queues_not_publicly_accessible:
assert result[0].status == "PASS"
assert search("is not public", result[0].status_extended)
assert result[0].resource_id == queue_id
assert result[0].resource_arn == ""
assert result[0].resource_arn == "arn_test"
def test_queues_public(self):
sqs_client = mock.MagicMock
sqs_client.queues = []
sqs_client.queues.append(
Queue(id=queue_id, region=AWS_REGION, policy=test_public_policy)
Queue(
id=queue_id,
region=AWS_REGION,
policy=test_public_policy,
arn="arn_test",
)
)
with mock.patch(
"prowler.providers.aws.services.sqs.sqs_service.SQS",
@@ -115,14 +125,17 @@ class Test_sqs_queues_not_publicly_accessible:
assert result[0].status == "FAIL"
assert search("policy with public access", result[0].status_extended)
assert result[0].resource_id == queue_id
assert result[0].resource_arn == ""
assert result[0].resource_arn == "arn_test"
def test_queues_public_with_condition(self):
sqs_client = mock.MagicMock
sqs_client.queues = []
sqs_client.queues.append(
Queue(
id=queue_id, region=AWS_REGION, policy=test_public_policy_with_condition
id=queue_id,
region=AWS_REGION,
policy=test_public_policy_with_condition,
arn="arn_test",
)
)
with mock.patch(
@@ -142,4 +155,4 @@ class Test_sqs_queues_not_publicly_accessible:
result[0].status_extended,
)
assert result[0].resource_id == queue_id
assert result[0].resource_arn == ""
assert result[0].resource_arn == "arn_test"

12
tests/providers/aws/services/sqs/sqs_queues_server_side_encryption_enabled/sqs_queues_server_side_encryption_enabled_test.py
View File

@@ -32,7 +32,12 @@ class Test_sqs_queues_server_side_encryption_enabled:
sqs_client = mock.MagicMock
sqs_client.queues = []
sqs_client.queues.append(
Queue(id=queue_id, region=AWS_REGION, kms_key_id=test_kms_key_id)
Queue(
id=queue_id,
region=AWS_REGION,
kms_key_id=test_kms_key_id,
arn="arn_test",
)
)
with mock.patch(
"prowler.providers.aws.services.sqs.sqs_service.SQS",
@@ -48,7 +53,7 @@ class Test_sqs_queues_server_side_encryption_enabled:
assert result[0].status == "PASS"
assert search("is using Server Side Encryption", result[0].status_extended)
assert result[0].resource_id == queue_id
assert result[0].resource_arn == ""
assert result[0].resource_arn == "arn_test"
def test_queues_no_encryption(self):
sqs_client = mock.MagicMock
@@ -57,6 +62,7 @@ class Test_sqs_queues_server_side_encryption_enabled:
Queue(
id=queue_id,
region=AWS_REGION,
arn="arn_test",
)
)
with mock.patch(
@@ -75,4 +81,4 @@ class Test_sqs_queues_server_side_encryption_enabled:
"is not using Server Side Encryption", result[0].status_extended
)
assert result[0].resource_id == queue_id
assert result[0].resource_arn == ""
assert result[0].resource_arn == "arn_test"