From 01cd4bcb4738a19ab2c1b6c2a170ece33af48286 Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Mon, 12 Jun 2023 13:33:12 +0200 Subject: [PATCH] chore(arn): add missing ARNs to AWS Services (#2476) --- README.md | 2 +- .../services/apigateway/apigateway_service.py | 4 +-- .../apigatewayv2_authorizers_enabled.py | 14 ++++----- .../apigatewayv2/apigatewayv2_service.py | 6 +++- ...hanges_to_network_acls_alarm_configured.py | 1 + ...es_to_network_gateways_alarm_configured.py | 1 + ...o_network_route_tables_alarm_configured.py | 1 + ...dwatch_changes_to_vpcs_alarm_configured.py | 1 + ...ws_config_configuration_changes_enabled.py | 1 + ...loudtrail_configuration_changes_enabled.py | 1 + ...g_metric_filter_authentication_failures.py | 1 + ...metric_filter_aws_organizations_changes.py | 1 + ...isable_or_scheduled_deletion_of_kms_cmk.py | 1 + ...ric_filter_for_s3_bucket_policy_changes.py | 1 + ...dwatch_log_metric_filter_policy_changes.py | 1 + ...cloudwatch_log_metric_filter_root_usage.py | 1 + ...og_metric_filter_security_group_changes.py | 1 + ...h_log_metric_filter_sign_in_without_mfa.py | 1 + ...og_metric_filter_unauthorized_api_calls.py | 1 + .../services/cloudwatch/cloudwatch_service.py | 7 ++++- .../aws/services/dynamodb/dynamodb_service.py | 7 +++-- .../providers/aws/services/eks/eks_service.py | 9 ++++-- .../glue_database_connections_ssl_enabled.py | 1 + ...ints_cloudwatch_logs_encryption_enabled.py | 1 + ...dpoints_job_bookmark_encryption_enabled.py | 1 + ...lopment_endpoints_s3_encryption_enabled.py | 1 + ...e_etl_jobs_amazon_s3_encryption_enabled.py | 1 + ...jobs_cloudwatch_logs_encryption_enabled.py | 1 + ...tl_jobs_job_bookmark_encryption_enabled.py | 1 + .../aws/services/glue/glue_service.py | 23 ++++++++++---- .../services/guardduty/guardduty_service.py | 4 +-- .../services/inspector2/inspector2_service.py | 6 ++-- .../networkfirewall_in_all_vpc.py | 2 +- .../services/opensearch/opensearch_service.py | 9 ++++-- .../providers/aws/services/rds/rds_service.py | 25 +++++++-------- .../aws/services/redshift/redshift_service.py | 8 +++-- .../providers/aws/services/sqs/sqs_service.py | 8 +++-- .../providers/aws/services/ssm/ssm_service.py | 6 ++-- ...c_endpoint_connections_trust_boundaries.py | 4 +++ ...ces_allowed_principals_trust_boundaries.py | 3 ++ .../vpc_flow_logs_enabled.py | 10 +++--- ...ing_routing_tables_with_least_privilege.py | 12 ++++--- .../providers/aws/services/vpc/vpc_service.py | 31 ++++++++++++------- .../vpc_subnet_different_az.py | 1 + .../vpc_subnet_no_public_ip_by_default.py | 2 +- .../vpc_subnet_separate_private_public.py | 1 + .../services/workspaces/workspaces_service.py | 8 +++-- .../apigateway_authorizers_enabled_test.py | 4 +-- ...gateway_client_certificate_enabled_test.py | 6 ++-- .../apigateway_endpoint_public_test.py | 4 +-- .../apigateway_logging_enabled_test.py | 4 +-- .../apigateway_waf_acl_attached_test.py | 4 +-- ...e_database_connections_ssl_enabled_test.py | 4 +++ ...cloudwatch_logs_encryption_enabled_test.py | 6 ++++ ...ts_job_bookmark_encryption_enabled_test.py | 6 ++++ ...nt_endpoints_s3_encryption_enabled_test.py | 6 ++++ ..._jobs_amazon_s3_encryption_enabled_test.py | 8 +++++ ...cloudwatch_logs_encryption_enabled_test.py | 6 ++++ ...bs_job_bookmark_encryption_enabled_test.py | 6 ++++ .../networkfirewall_in_all_vpc_test.py | 16 +++++++--- ...sqs_queues_not_publicly_accessible_test.py | 25 +++++++++++---- ...ues_server_side_encryption_enabled_test.py | 12 +++++-- 62 files changed, 249 insertions(+), 102 deletions(-) diff --git a/README.md b/README.md index 7283151c..5b509793 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe | Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.cloud/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.cloud/en/latest/tutorials/misc/#categories) | |---|---|---|---|---| -| AWS | 282 | 55 -> `prowler aws --list-services` | 21 -> `prowler aws --list-compliance` | 5 -> `prowler aws --list-categories` | +| AWS | 283 | 55 -> `prowler aws --list-services` | 21 -> `prowler aws --list-compliance` | 5 -> `prowler aws --list-categories` | | GCP | 59 | 10 -> `prowler gcp --list-services` | CIS soon | 0 -> `prowler gcp --list-categories`| | Azure | 20 | 3 -> `prowler azure --list-services` | CIS soon | 1 -> `prowler azure --list-categories` | | Kubernetes | Planned | - | - | - | diff --git a/prowler/providers/aws/services/apigateway/apigateway_service.py b/prowler/providers/aws/services/apigateway/apigateway_service.py index cbc46dba..5922c14c 100644 --- a/prowler/providers/aws/services/apigateway/apigateway_service.py +++ b/prowler/providers/aws/services/apigateway/apigateway_service.py @@ -41,7 +41,7 @@ class APIGateway: get_rest_apis_paginator = regional_client.get_paginator("get_rest_apis") for page in get_rest_apis_paginator.paginate(): for apigw in page["items"]: - arn = f"arn:{self.audited_partition}:apigateway:{regional_client.region}::/apis/{apigw['id']}" + arn = f"arn:{self.audited_partition}:apigateway:{regional_client.region}::/restapis/{apigw['id']}" if not self.audit_resources or ( is_resource_filtered(arn, self.audit_resources) ): @@ -100,7 +100,7 @@ class APIGateway: logging = True if "clientCertificateId" in stage: client_certificate = True - arn = f"arn:{self.audited_partition}:apigateway:{regional_client.region}::/apis/{rest_api.id}/stages/{stage['stageName']}" + arn = f"arn:{self.audited_partition}:apigateway:{regional_client.region}::/restapis/{rest_api.id}/stages/{stage['stageName']}" rest_api.stages.append( Stage( name=stage["stageName"], diff --git a/prowler/providers/aws/services/apigatewayv2/apigatewayv2_authorizers_enabled/apigatewayv2_authorizers_enabled.py b/prowler/providers/aws/services/apigatewayv2/apigatewayv2_authorizers_enabled/apigatewayv2_authorizers_enabled.py index 25f3df16..bb34d79b 100644 --- a/prowler/providers/aws/services/apigatewayv2/apigatewayv2_authorizers_enabled/apigatewayv2_authorizers_enabled.py +++ b/prowler/providers/aws/services/apigatewayv2/apigatewayv2_authorizers_enabled/apigatewayv2_authorizers_enabled.py @@ -10,18 +10,18 @@ class apigatewayv2_authorizers_enabled(Check): for api in apigatewayv2_client.apis: report = Check_Report_AWS(self.metadata()) report.region = api.region + report.resource_id = api.name + report.resource_arn = api.arn + report.resource_tags = api.tags + report.status = "FAIL" + report.status_extended = ( + f"API Gateway V2 {api.name} ID {api.id} has not authorizer configured." + ) if api.authorizer: report.status = "PASS" report.status_extended = ( f"API Gateway V2 {api.name} ID {api.id} has authorizer configured." ) - report.resource_id = api.name - report.resource_tags = api.tags - else: - report.status = "FAIL" - report.status_extended = f"API Gateway V2 {api.name} ID {api.id} has not authorizer configured." - report.resource_id = api.name - report.resource_tags = api.tags findings.append(report) return findings diff --git a/prowler/providers/aws/services/apigatewayv2/apigatewayv2_service.py b/prowler/providers/aws/services/apigatewayv2/apigatewayv2_service.py index 08a26abf..25d11585 100644 --- a/prowler/providers/aws/services/apigatewayv2/apigatewayv2_service.py +++ b/prowler/providers/aws/services/apigatewayv2/apigatewayv2_service.py @@ -14,6 +14,7 @@ class ApiGatewayV2: self.service = "apigatewayv2" self.session = audit_info.audit_session self.audited_account = audit_info.audited_account + self.audited_partition = audit_info.audited_partition self.audit_resources = audit_info.audit_resources self.regional_clients = generate_regional_clients(self.service, audit_info) self.apis = [] @@ -39,11 +40,13 @@ class ApiGatewayV2: get_apis_paginator = regional_client.get_paginator("get_apis") for page in get_apis_paginator.paginate(): for apigw in page["Items"]: + arn = f"arn:{self.audited_partition}:apigateway:{regional_client.region}::apis/{apigw['ApiId']}" if not self.audit_resources or ( - is_resource_filtered(apigw["ApiId"], self.audit_resources) + is_resource_filtered(arn, self.audit_resources) ): self.apis.append( API( + arn=arn, id=apigw["ApiId"], region=regional_client.region, name=apigw["Name"], @@ -98,6 +101,7 @@ class Stage(BaseModel): class API(BaseModel): + arn: str id: str region: str name: str diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py index 38a94343..ed6ead46 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py @@ -31,6 +31,7 @@ class cloudwatch_changes_to_network_acls_alarm_configured(Check): if metric_filter.log_group in log_groups: if re.search(pattern, metric_filter.pattern): report.resource_id = metric_filter.log_group + report.resource_arn = metric_filter.arn report.region = metric_filter.region report.status = "FAIL" report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py index b2e4237f..2d1995d2 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py @@ -31,6 +31,7 @@ class cloudwatch_changes_to_network_gateways_alarm_configured(Check): if metric_filter.log_group in log_groups: if re.search(pattern, metric_filter.pattern): report.resource_id = metric_filter.log_group + report.resource_arn = metric_filter.arn report.region = metric_filter.region report.status = "FAIL" report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py index 20140c7b..b8bee128 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py @@ -31,6 +31,7 @@ class cloudwatch_changes_to_network_route_tables_alarm_configured(Check): if metric_filter.log_group in log_groups: if re.search(pattern, metric_filter.pattern): report.resource_id = metric_filter.log_group + report.resource_arn = metric_filter.arn report.region = metric_filter.region report.status = "FAIL" report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py index b6b99201..bcd32328 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py @@ -31,6 +31,7 @@ class cloudwatch_changes_to_vpcs_alarm_configured(Check): if metric_filter.log_group in log_groups: if re.search(pattern, metric_filter.pattern): report.resource_id = metric_filter.log_group + report.resource_arn = metric_filter.arn report.region = metric_filter.region report.status = "FAIL" report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py index dd3a09a2..aaf14ebc 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py @@ -33,6 +33,7 @@ class cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_change if metric_filter.log_group in log_groups: if re.search(pattern, metric_filter.pattern): report.resource_id = metric_filter.log_group + report.resource_arn = metric_filter.arn report.region = metric_filter.region report.status = "FAIL" report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py index c866192f..e6cf16d7 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py @@ -33,6 +33,7 @@ class cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_change if metric_filter.log_group in log_groups: if re.search(pattern, metric_filter.pattern): report.resource_id = metric_filter.log_group + report.resource_arn = metric_filter.arn report.region = metric_filter.region report.status = "FAIL" report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py index ec13c079..13e0cebb 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py @@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_authentication_failures(Check): if metric_filter.log_group in log_groups: if re.search(pattern, metric_filter.pattern): report.resource_id = metric_filter.log_group + report.resource_arn = metric_filter.arn report.region = metric_filter.region report.status = "FAIL" report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py index 6025d6bf..3f2ae96f 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py @@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_aws_organizations_changes(Check): if metric_filter.log_group in log_groups: if re.search(pattern, metric_filter.pattern): report.resource_id = metric_filter.log_group + report.resource_arn = metric_filter.arn report.region = metric_filter.region report.status = "FAIL" report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py index cc43b762..afadb54a 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py @@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk(Chec if metric_filter.log_group in log_groups: if re.search(pattern, metric_filter.pattern): report.resource_id = metric_filter.log_group + report.resource_arn = metric_filter.arn report.region = metric_filter.region report.status = "FAIL" report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py index 7f5e5b53..1b07b210 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py @@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_for_s3_bucket_policy_changes(Check): if metric_filter.log_group in log_groups: if re.search(pattern, metric_filter.pattern): report.resource_id = metric_filter.log_group + report.resource_arn = metric_filter.arn report.region = metric_filter.region report.status = "FAIL" report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py index 75f48f83..57eff50e 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py @@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_policy_changes(Check): if metric_filter.log_group in log_groups: if re.search(pattern, metric_filter.pattern): report.resource_id = metric_filter.log_group + report.resource_arn = metric_filter.arn report.region = metric_filter.region report.status = "FAIL" report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py index e2c0ae40..7ac2e53d 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py @@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_root_usage(Check): if metric_filter.log_group in log_groups: if re.search(pattern, metric_filter.pattern): report.resource_id = metric_filter.log_group + report.resource_arn = metric_filter.arn report.region = metric_filter.region report.status = "FAIL" report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py index 2b0dc7be..4234657c 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py @@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_security_group_changes(Check): if metric_filter.log_group in log_groups: if re.search(pattern, metric_filter.pattern): report.resource_id = metric_filter.log_group + report.resource_arn = metric_filter.arn report.region = metric_filter.region report.status = "FAIL" report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py index d523b2d6..905e95bd 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py @@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_sign_in_without_mfa(Check): if metric_filter.log_group in log_groups: if re.search(pattern, metric_filter.pattern): report.resource_id = metric_filter.log_group + report.resource_arn = metric_filter.arn report.region = metric_filter.region report.status = "FAIL" report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py index 1a611e23..1dc261dd 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py @@ -31,6 +31,7 @@ class cloudwatch_log_metric_filter_unauthorized_api_calls(Check): if metric_filter.log_group in log_groups: if re.search(pattern, metric_filter.pattern): report.resource_id = metric_filter.log_group + report.resource_arn = metric_filter.arn report.region = metric_filter.region report.status = "FAIL" report.status_extended = f"CloudWatch log group {metric_filter.log_group} found with metric filter {metric_filter.name} but no alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_service.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_service.py index 2366a262..4c4d25b5 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_service.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_service.py @@ -17,6 +17,7 @@ class CloudWatch: self.session = audit_info.audit_session self.audited_account = audit_info.audited_account self.audit_resources = audit_info.audit_resources + self.audited_partition = audit_info.audited_partition self.region = list( generate_regional_clients( self.service, audit_info, global_service=True @@ -89,6 +90,7 @@ class Logs: self.service = "logs" self.session = audit_info.audit_session self.audited_account = audit_info.audited_account + self.audited_partition = audit_info.audited_partition self.audit_resources = audit_info.audit_resources self.regional_clients = generate_regional_clients(self.service, audit_info) self.metric_filters = [] @@ -125,11 +127,13 @@ class Logs: ) for page in describe_metric_filters_paginator.paginate(): for filter in page["metricFilters"]: + arn = f"arn:{self.audited_partition}:logs:{regional_client.region}:{self.audited_account}:metric-filter/{filter['filterName']}" if not self.audit_resources or ( - is_resource_filtered(filter["filterName"], self.audit_resources) + is_resource_filtered(arn, self.audit_resources) ): self.metric_filters.append( MetricFilter( + arn=arn, name=filter["filterName"], metric=filter["metricTransformations"][0]["metricName"], pattern=filter.get("filterPattern", ""), @@ -237,6 +241,7 @@ class MetricAlarm(BaseModel): class MetricFilter(BaseModel): + arn: str name: str metric: str pattern: str diff --git a/prowler/providers/aws/services/dynamodb/dynamodb_service.py b/prowler/providers/aws/services/dynamodb/dynamodb_service.py index c0e9223f..6a0b2f01 100644 --- a/prowler/providers/aws/services/dynamodb/dynamodb_service.py +++ b/prowler/providers/aws/services/dynamodb/dynamodb_service.py @@ -16,6 +16,7 @@ class DynamoDB: self.session = audit_info.audit_session self.audited_account = audit_info.audited_account self.audit_resources = audit_info.audit_resources + self.audited_partition = audit_info.audited_partition self.regional_clients = generate_regional_clients(self.service, audit_info) self.tables = [] self.__threading_call__(self.__list_tables__) @@ -41,12 +42,13 @@ class DynamoDB: list_tables_paginator = regional_client.get_paginator("list_tables") for page in list_tables_paginator.paginate(): for table in page["TableNames"]: + arn = f"arn:{self.audited_partition}:dynamodb:{regional_client.region}:{self.audited_account}:table/{table}" if not self.audit_resources or ( - is_resource_filtered(table, self.audit_resources) + is_resource_filtered(arn, self.audit_resources) ): self.tables.append( Table( - arn="", + arn=arn, name=table, encryption_type=None, kms_arn=None, @@ -66,7 +68,6 @@ class DynamoDB: properties = regional_client.describe_table(TableName=table.name)[ "Table" ] - table.arn = properties["TableArn"] if "SSEDescription" in properties: if "SSEType" in properties["SSEDescription"]: table.encryption_type = properties["SSEDescription"]["SSEType"] diff --git a/prowler/providers/aws/services/eks/eks_service.py b/prowler/providers/aws/services/eks/eks_service.py index af9ff849..ac501002 100644 --- a/prowler/providers/aws/services/eks/eks_service.py +++ b/prowler/providers/aws/services/eks/eks_service.py @@ -14,6 +14,8 @@ class EKS: self.service = "eks" self.session = audit_info.audit_session self.audit_resources = audit_info.audit_resources + self.audited_partition = audit_info.audited_partition + self.audited_account = audit_info.audited_account self.regional_clients = generate_regional_clients(self.service, audit_info) self.clusters = [] self.__threading_call__(self.__list_clusters__) @@ -37,11 +39,13 @@ class EKS: list_clusters_paginator = regional_client.get_paginator("list_clusters") for page in list_clusters_paginator.paginate(): for cluster in page["clusters"]: + arn = f"arn:{self.audited_partition}:eks:{regional_client.region}:{self.audited_account}:cluster/{cluster}" if not self.audit_resources or ( - is_resource_filtered(cluster, self.audit_resources) + is_resource_filtered(arn, self.audit_resources) ): self.clusters.append( EKSCluster( + arn=arn, name=cluster, region=regional_client.region, ) @@ -58,7 +62,6 @@ class EKS: for cluster in self.clusters: regional_client = regional_clients[cluster.region] describe_cluster = regional_client.describe_cluster(name=cluster.name) - cluster.arn = describe_cluster["cluster"]["arn"] if "logging" in describe_cluster["cluster"]: cluster.logging = EKSClusterLoggingEntity( types=describe_cluster["cluster"]["logging"]["clusterLogging"][ @@ -106,7 +109,7 @@ class EKSClusterLoggingEntity(BaseModel): class EKSCluster(BaseModel): name: str - arn: str = None + arn: str region: str logging: EKSClusterLoggingEntity = None endpoint_public_access: bool = None diff --git a/prowler/providers/aws/services/glue/glue_database_connections_ssl_enabled/glue_database_connections_ssl_enabled.py b/prowler/providers/aws/services/glue/glue_database_connections_ssl_enabled/glue_database_connections_ssl_enabled.py index 1d395ce1..67cd3e5e 100644 --- a/prowler/providers/aws/services/glue/glue_database_connections_ssl_enabled/glue_database_connections_ssl_enabled.py +++ b/prowler/providers/aws/services/glue/glue_database_connections_ssl_enabled/glue_database_connections_ssl_enabled.py @@ -8,6 +8,7 @@ class glue_database_connections_ssl_enabled(Check): for conn in glue_client.connections: report = Check_Report_AWS(self.metadata()) report.resource_id = conn.name + report.resource_arn = conn.arn report.region = conn.region report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/glue/glue_development_endpoints_cloudwatch_logs_encryption_enabled/glue_development_endpoints_cloudwatch_logs_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_development_endpoints_cloudwatch_logs_encryption_enabled/glue_development_endpoints_cloudwatch_logs_encryption_enabled.py index fea42b06..4b92fc80 100644 --- a/prowler/providers/aws/services/glue/glue_development_endpoints_cloudwatch_logs_encryption_enabled/glue_development_endpoints_cloudwatch_logs_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_development_endpoints_cloudwatch_logs_encryption_enabled/glue_development_endpoints_cloudwatch_logs_encryption_enabled.py @@ -9,6 +9,7 @@ class glue_development_endpoints_cloudwatch_logs_encryption_enabled(Check): no_sec_configs = True report = Check_Report_AWS(self.metadata()) report.resource_id = endpoint.name + report.resource_arn = endpoint.arn report.region = endpoint.region for sec_config in glue_client.security_configs: if sec_config.name == endpoint.security: diff --git a/prowler/providers/aws/services/glue/glue_development_endpoints_job_bookmark_encryption_enabled/glue_development_endpoints_job_bookmark_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_development_endpoints_job_bookmark_encryption_enabled/glue_development_endpoints_job_bookmark_encryption_enabled.py index a1cb18cf..a115294d 100644 --- a/prowler/providers/aws/services/glue/glue_development_endpoints_job_bookmark_encryption_enabled/glue_development_endpoints_job_bookmark_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_development_endpoints_job_bookmark_encryption_enabled/glue_development_endpoints_job_bookmark_encryption_enabled.py @@ -9,6 +9,7 @@ class glue_development_endpoints_job_bookmark_encryption_enabled(Check): no_sec_configs = True report = Check_Report_AWS(self.metadata()) report.resource_id = endpoint.name + report.resource_arn = endpoint.arn report.region = endpoint.region for sec_config in glue_client.security_configs: if sec_config.name == endpoint.security: diff --git a/prowler/providers/aws/services/glue/glue_development_endpoints_s3_encryption_enabled/glue_development_endpoints_s3_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_development_endpoints_s3_encryption_enabled/glue_development_endpoints_s3_encryption_enabled.py index 3b95c575..fe328520 100644 --- a/prowler/providers/aws/services/glue/glue_development_endpoints_s3_encryption_enabled/glue_development_endpoints_s3_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_development_endpoints_s3_encryption_enabled/glue_development_endpoints_s3_encryption_enabled.py @@ -9,6 +9,7 @@ class glue_development_endpoints_s3_encryption_enabled(Check): no_sec_configs = True report = Check_Report_AWS(self.metadata()) report.resource_id = endpoint.name + report.resource_arn = endpoint.arn report.region = endpoint.region for sec_config in glue_client.security_configs: if sec_config.name == endpoint.security: diff --git a/prowler/providers/aws/services/glue/glue_etl_jobs_amazon_s3_encryption_enabled/glue_etl_jobs_amazon_s3_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_etl_jobs_amazon_s3_encryption_enabled/glue_etl_jobs_amazon_s3_encryption_enabled.py index feee1b90..37f298e3 100644 --- a/prowler/providers/aws/services/glue/glue_etl_jobs_amazon_s3_encryption_enabled/glue_etl_jobs_amazon_s3_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_etl_jobs_amazon_s3_encryption_enabled/glue_etl_jobs_amazon_s3_encryption_enabled.py @@ -9,6 +9,7 @@ class glue_etl_jobs_amazon_s3_encryption_enabled(Check): no_sec_configs = True report = Check_Report_AWS(self.metadata()) report.resource_id = job.name + report.resource_arn = job.arn report.region = job.region for sec_config in glue_client.security_configs: if sec_config.name == job.security: diff --git a/prowler/providers/aws/services/glue/glue_etl_jobs_cloudwatch_logs_encryption_enabled/glue_etl_jobs_cloudwatch_logs_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_etl_jobs_cloudwatch_logs_encryption_enabled/glue_etl_jobs_cloudwatch_logs_encryption_enabled.py index 5934fbbc..c1c31687 100644 --- a/prowler/providers/aws/services/glue/glue_etl_jobs_cloudwatch_logs_encryption_enabled/glue_etl_jobs_cloudwatch_logs_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_etl_jobs_cloudwatch_logs_encryption_enabled/glue_etl_jobs_cloudwatch_logs_encryption_enabled.py @@ -9,6 +9,7 @@ class glue_etl_jobs_cloudwatch_logs_encryption_enabled(Check): no_sec_configs = True report = Check_Report_AWS(self.metadata()) report.resource_id = job.name + report.resource_arn = job.arn report.region = job.region for sec_config in glue_client.security_configs: if sec_config.name == job.security: diff --git a/prowler/providers/aws/services/glue/glue_etl_jobs_job_bookmark_encryption_enabled/glue_etl_jobs_job_bookmark_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_etl_jobs_job_bookmark_encryption_enabled/glue_etl_jobs_job_bookmark_encryption_enabled.py index b52c75ce..6bba16eb 100644 --- a/prowler/providers/aws/services/glue/glue_etl_jobs_job_bookmark_encryption_enabled/glue_etl_jobs_job_bookmark_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_etl_jobs_job_bookmark_encryption_enabled/glue_etl_jobs_job_bookmark_encryption_enabled.py @@ -9,6 +9,7 @@ class glue_etl_jobs_job_bookmark_encryption_enabled(Check): no_sec_configs = True report = Check_Report_AWS(self.metadata()) report.resource_id = job.name + report.resource_arn = job.arn report.region = job.region for sec_config in glue_client.security_configs: if sec_config.name == job.security: diff --git a/prowler/providers/aws/services/glue/glue_service.py b/prowler/providers/aws/services/glue/glue_service.py index 521286e7..98aa3f75 100644 --- a/prowler/providers/aws/services/glue/glue_service.py +++ b/prowler/providers/aws/services/glue/glue_service.py @@ -15,6 +15,7 @@ class Glue: self.session = audit_info.audit_session self.audited_account = audit_info.audited_account self.audit_resources = audit_info.audit_resources + self.audited_partition = audit_info.audited_account self.regional_clients = generate_regional_clients(self.service, audit_info) self.connections = [] self.__threading_call__(self.__get_connections__) @@ -47,11 +48,13 @@ class Glue: get_connections_paginator = regional_client.get_paginator("get_connections") for page in get_connections_paginator.paginate(): for conn in page["ConnectionList"]: + arn = f"arn:{self.audited_partition}:glue:{regional_client.region}:{self.audited_account}:connection/{conn['Name']}" if not self.audit_resources or ( - is_resource_filtered(conn["Name"], self.audit_resources) + is_resource_filtered(arn, self.audit_resources) ): self.connections.append( Connection( + arn=arn, name=conn["Name"], type=conn["ConnectionType"], properties=conn["ConnectionProperties"], @@ -71,13 +74,13 @@ class Glue: ) for page in get_dev_endpoints_paginator.paginate(): for endpoint in page["DevEndpoints"]: + arn = f"arn:{self.audited_partition}:glue:{regional_client.region}:{self.audited_account}:devEndpoint/{endpoint['EndpointName']}" if not self.audit_resources or ( - is_resource_filtered( - endpoint["EndpointName"], self.audit_resources - ) + is_resource_filtered(arn, self.audit_resources) ): self.dev_endpoints.append( DevEndpoint( + arn=arn, name=endpoint["EndpointName"], security=endpoint.get("SecurityConfiguration"), region=regional_client.region, @@ -94,12 +97,14 @@ class Glue: get_jobs_paginator = regional_client.get_paginator("get_jobs") for page in get_jobs_paginator.paginate(): for job in page["Jobs"]: + arn = f"arn:{self.audited_partition}:glue:{regional_client.region}:{self.audited_account}:job/{job['Name']}" if not self.audit_resources or ( - is_resource_filtered(job["Name"], self.audit_resources) + is_resource_filtered(arn, self.audit_resources) ): self.jobs.append( Job( name=job["Name"], + arn=arn, security=job.get("SecurityConfiguration"), arguments=job.get("DefaultArguments"), region=regional_client.region, @@ -154,11 +159,13 @@ class Glue: logger.info("Glue - Search Tables...") try: for table in regional_client.search_tables()["TableList"]: + arn = f"arn:{self.audited_partition}:glue:{regional_client.region}:{self.audited_account}:table/{table['DatabaseName']}/{table['Name']}" if not self.audit_resources or ( - is_resource_filtered(table["Name"], self.audit_resources) + is_resource_filtered(arn, self.audit_resources) ): self.tables.append( Table( + arn=arn, name=table["Name"], database=table["DatabaseName"], catalog=table["CatalogId"], @@ -197,6 +204,7 @@ class Glue: class Connection(BaseModel): name: str + arn: str type: str properties: dict region: str @@ -204,6 +212,7 @@ class Connection(BaseModel): class Table(BaseModel): name: str + arn: str database: str catalog: Optional[str] region: str @@ -219,11 +228,13 @@ class CatalogEncryptionSetting(BaseModel): class DevEndpoint(BaseModel): name: str + arn: str security: Optional[str] region: str class Job(BaseModel): + arn: str name: str security: Optional[str] arguments: Optional[dict] diff --git a/prowler/providers/aws/services/guardduty/guardduty_service.py b/prowler/providers/aws/services/guardduty/guardduty_service.py index 104c704f..79fa12ad 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_service.py +++ b/prowler/providers/aws/services/guardduty/guardduty_service.py @@ -43,10 +43,10 @@ class GuardDuty: list_detectors_paginator = regional_client.get_paginator("list_detectors") for page in list_detectors_paginator.paginate(): for detector in page["DetectorIds"]: + arn = f"arn:{self.audited_partition}:guardduty:{regional_client.region}:{self.audited_account}:detector/{detector}" if not self.audit_resources or ( - is_resource_filtered(detector, self.audit_resources) + is_resource_filtered(arn, self.audit_resources) ): - arn = f"arn:{self.audited_partition}:guardduty:{regional_client.region}:{self.audited_account}:detector/{detector}" self.detectors.append( Detector( id=detector, arn=arn, region=regional_client.region diff --git a/prowler/providers/aws/services/inspector2/inspector2_service.py b/prowler/providers/aws/services/inspector2/inspector2_service.py index 9fb5ff43..69e410df 100644 --- a/prowler/providers/aws/services/inspector2/inspector2_service.py +++ b/prowler/providers/aws/services/inspector2/inspector2_service.py @@ -70,11 +70,13 @@ class Inspector2: for page in list_findings_paginator.paginate(): for finding in page["findings"]: if not self.audit_resources or ( - is_resource_filtered(finding, self.audit_resources) + is_resource_filtered( + finding["findingArn"], self.audit_resources + ) ): inspector.findings.append( InspectorFinding( - arn=finding.get("findingArn"), + arn=finding["findingArn"], region=regional_client.region, severity=finding.get("severity"), status=finding.get("status"), diff --git a/prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py b/prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py index 9e80a0ff..c9b4624b 100644 --- a/prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py +++ b/prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py @@ -12,7 +12,7 @@ class networkfirewall_in_all_vpc(Check): report = Check_Report_AWS(self.metadata()) report.region = vpc.region report.resource_id = vpc.id - report.resource_arn = "" + report.resource_arn = vpc.arn report.resource_tags = vpc.tags report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/opensearch/opensearch_service.py b/prowler/providers/aws/services/opensearch/opensearch_service.py index ba2710fe..14d2839a 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service.py @@ -15,6 +15,8 @@ class OpenSearchService: self.service = "opensearch" self.session = audit_info.audit_session self.audit_resources = audit_info.audit_resources + self.audited_partition = audit_info.audited_partition + self.audited_account = audit_info.audited_account self.regional_clients = generate_regional_clients(self.service, audit_info) self.opensearch_domains = [] self.__threading_call__(self.__list_domain_names__) @@ -39,12 +41,15 @@ class OpenSearchService: try: domains = regional_client.list_domain_names() for domain in domains["DomainNames"]: + arn = f"arn:{self.audited_partition}:opensearch:{regional_client.region}:{self.audited_account}:domain/{domain['DomainName']}" if not self.audit_resources or ( - is_resource_filtered(domain["DomainName"], self.audit_resources) + is_resource_filtered(arn, self.audit_resources) ): self.opensearch_domains.append( OpenSearchDomain( - name=domain["DomainName"], region=regional_client.region + arn=arn, + name=domain["DomainName"], + region=regional_client.region, ) ) except Exception as error: diff --git a/prowler/providers/aws/services/rds/rds_service.py b/prowler/providers/aws/services/rds/rds_service.py index 915fc52d..f0383eeb 100644 --- a/prowler/providers/aws/services/rds/rds_service.py +++ b/prowler/providers/aws/services/rds/rds_service.py @@ -52,16 +52,15 @@ class RDS: ) for page in describe_db_instances_paginator.paginate(): for instance in page["DBInstances"]: + arn = f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:db:{instance['DBInstanceIdentifier']}" if not self.audit_resources or ( - is_resource_filtered( - instance["DBInstanceIdentifier"], self.audit_resources - ) + is_resource_filtered(arn, self.audit_resources) ): if instance["Engine"] != "docdb": self.db_instances.append( DBInstance( id=instance["DBInstanceIdentifier"], - arn=f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:db:{instance['DBInstanceIdentifier']}", + arn=arn, endpoint=instance.get("Endpoint"), engine=instance["Engine"], engine_version=instance["EngineVersion"], @@ -125,16 +124,15 @@ class RDS: ) for page in describe_db_snapshots_paginator.paginate(): for snapshot in page["DBSnapshots"]: + arn = f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:snapshot:{snapshot['DBSnapshotIdentifier']}" if not self.audit_resources or ( - is_resource_filtered( - snapshot["DBSnapshotIdentifier"], self.audit_resources - ) + is_resource_filtered(arn, self.audit_resources) ): if snapshot["Engine"] != "docdb": self.db_snapshots.append( DBSnapshot( id=snapshot["DBSnapshotIdentifier"], - arn=f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:snapshot:{snapshot['DBSnapshotIdentifier']}", + arn=arn, instance_id=snapshot["DBInstanceIdentifier"], region=regional_client.region, tags=snapshot.get("TagList", []), @@ -175,13 +173,11 @@ class RDS: ) for page in describe_db_clusters_paginator.paginate(): for cluster in page["DBClusters"]: + db_cluster_arn = f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:cluster:{cluster['DBClusterIdentifier']}" if not self.audit_resources or ( - is_resource_filtered( - cluster["DBClusterIdentifier"], self.audit_resources - ) + is_resource_filtered(db_cluster_arn, self.audit_resources) ): if cluster["Engine"] != "docdb": - db_cluster_arn = f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:cluster:{cluster['DBClusterIdentifier']}" db_cluster = DBCluster( id=cluster["DBClusterIdentifier"], arn=db_cluster_arn, @@ -220,9 +216,10 @@ class RDS: ) for page in describe_db_snapshots_paginator.paginate(): for snapshot in page["DBClusterSnapshots"]: + arn = f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:cluster-snapshot:{snapshot['DBClusterSnapshotIdentifier']}" if not self.audit_resources or ( is_resource_filtered( - snapshot["DBClusterSnapshotIdentifier"], + arn, self.audit_resources, ) ): @@ -230,7 +227,7 @@ class RDS: self.db_cluster_snapshots.append( ClusterSnapshot( id=snapshot["DBClusterSnapshotIdentifier"], - arn=f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:cluster-snapshot:{snapshot['DBClusterSnapshotIdentifier']}", + arn=arn, cluster_id=snapshot["DBClusterIdentifier"], region=regional_client.region, tags=snapshot.get("TagList", []), diff --git a/prowler/providers/aws/services/redshift/redshift_service.py b/prowler/providers/aws/services/redshift/redshift_service.py index b88af24f..82d15555 100644 --- a/prowler/providers/aws/services/redshift/redshift_service.py +++ b/prowler/providers/aws/services/redshift/redshift_service.py @@ -14,6 +14,8 @@ class Redshift: self.service = "redshift" self.session = audit_info.audit_session self.audit_resources = audit_info.audit_resources + self.audited_partition = audit_info.audited_partition + self.audited_account = audit_info.audited_account self.regional_clients = generate_regional_clients(self.service, audit_info) self.clusters = [] self.__threading_call__(self.__describe_clusters__) @@ -38,12 +40,12 @@ class Redshift: list_clusters_paginator = regional_client.get_paginator("describe_clusters") for page in list_clusters_paginator.paginate(): for cluster in page["Clusters"]: + arn = f"arn:{self.audited_partition}:redshift:{regional_client.region}:{self.audited_account}:cluster:{cluster['ClusterIdentifier']}" if not self.audit_resources or ( - is_resource_filtered( - cluster["ClusterIdentifier"], self.audit_resources - ) + is_resource_filtered(arn, self.audit_resources) ): cluster_to_append = Cluster( + arn=arn, id=cluster["ClusterIdentifier"], region=regional_client.region, tags=cluster.get("Tags"), diff --git a/prowler/providers/aws/services/sqs/sqs_service.py b/prowler/providers/aws/services/sqs/sqs_service.py index 79f7a551..402e222d 100644 --- a/prowler/providers/aws/services/sqs/sqs_service.py +++ b/prowler/providers/aws/services/sqs/sqs_service.py @@ -15,6 +15,8 @@ class SQS: self.service = "sqs" self.session = audit_info.audit_session self.audit_resources = audit_info.audit_resources + self.audited_account = audit_info.audited_account + self.audited_partition = audit_info.audited_partition self.regional_clients = generate_regional_clients(self.service, audit_info) self.queues = [] self.__threading_call__(self.__list_queues__) @@ -40,11 +42,13 @@ class SQS: for page in list_queues_paginator.paginate(): if "QueueUrls" in page: for queue in page["QueueUrls"]: + arn = f"arn:{self.audited_partition}:sqs:{regional_client.region}:{self.audited_account}:{queue}" if not self.audit_resources or ( - is_resource_filtered(queue, self.audit_resources) + is_resource_filtered(arn, self.audit_resources) ): self.queues.append( Queue( + arn=arn, id=queue, region=regional_client.region, ) @@ -98,7 +102,7 @@ class SQS: class Queue(BaseModel): id: str - arn: str = "" + arn: str region: str policy: dict = None kms_key_id: str = None diff --git a/prowler/providers/aws/services/ssm/ssm_service.py b/prowler/providers/aws/services/ssm/ssm_service.py index f8568948..4ddb8a06 100644 --- a/prowler/providers/aws/services/ssm/ssm_service.py +++ b/prowler/providers/aws/services/ssm/ssm_service.py @@ -58,11 +58,11 @@ class SSM: list_documents_paginator = regional_client.get_paginator("list_documents") for page in list_documents_paginator.paginate(**list_documents_parameters): for document in page["DocumentIdentifiers"]: + document_name = document["Name"] + document_arn = f"arn:{self.audited_partition}:ssm:{regional_client.region}:{self.audited_account}:document/{document_name}" if not self.audit_resources or ( - is_resource_filtered(document["Name"], self.audit_resources) + is_resource_filtered(document_arn, self.audit_resources) ): - document_name = document["Name"] - document_arn = f"arn:{self.audited_partition}:ssm:{regional_client.region}:{self.audited_account}:document/{document_name}" # We must use the Document ARN as the dict key to have unique keys self.documents[document_arn] = Document( arn=document_arn, diff --git a/prowler/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries.py b/prowler/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries.py index 8bdc58a3..99ff5ce3 100644 --- a/prowler/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries.py +++ b/prowler/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries.py @@ -18,6 +18,7 @@ class vpc_endpoint_connections_trust_boundaries(Check): report.status = "FAIL" report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} has full access." report.resource_id = endpoint.id + report.resource_arn = endpoint.arn report.resource_tags = endpoint.tags findings.append(report) break @@ -34,6 +35,7 @@ class vpc_endpoint_connections_trust_boundaries(Check): report.status = "FAIL" report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} has full access." report.resource_id = endpoint.id + report.resource_arn = endpoint.arn report.resource_tags = endpoint.tags else: account_id = principal_arn.split(":")[4] @@ -44,11 +46,13 @@ class vpc_endpoint_connections_trust_boundaries(Check): report.status = "PASS" report.status_extended = f"Found trusted account {account_id} in VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id}." report.resource_id = endpoint.id + report.resource_arn = endpoint.arn report.resource_tags = endpoint.tags else: report.status = "FAIL" report.status_extended = f"Found untrusted account {account_id} in VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id}." report.resource_id = endpoint.id + report.resource_arn = endpoint.arn report.resource_tags = endpoint.tags findings.append(report) diff --git a/prowler/providers/aws/services/vpc/vpc_endpoint_services_allowed_principals_trust_boundaries/vpc_endpoint_services_allowed_principals_trust_boundaries.py b/prowler/providers/aws/services/vpc/vpc_endpoint_services_allowed_principals_trust_boundaries/vpc_endpoint_services_allowed_principals_trust_boundaries.py index 737fa3e4..33526b24 100644 --- a/prowler/providers/aws/services/vpc/vpc_endpoint_services_allowed_principals_trust_boundaries/vpc_endpoint_services_allowed_principals_trust_boundaries.py +++ b/prowler/providers/aws/services/vpc/vpc_endpoint_services_allowed_principals_trust_boundaries/vpc_endpoint_services_allowed_principals_trust_boundaries.py @@ -17,6 +17,7 @@ class vpc_endpoint_services_allowed_principals_trust_boundaries(Check): f"VPC Endpoint Service {service.id} has no allowed principals." ) report.resource_id = service.id + report.resource_arn = service.arn report.resource_tags = service.tags findings.append(report) else: @@ -31,11 +32,13 @@ class vpc_endpoint_services_allowed_principals_trust_boundaries(Check): report.status = "PASS" report.status_extended = f"Found trusted account {account_id} in VPC Endpoint Service {service.id}." report.resource_id = service.id + report.resource_arn = service.arn report.resource_tags = service.tags else: report.status = "FAIL" report.status_extended = f"Found untrusted account {account_id} in VPC Endpoint Service {service.id}." report.resource_id = service.id + report.resource_arn = service.arn report.resource_tags = service.tags findings.append(report) diff --git a/prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py b/prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py index da2c8f62..32a9282a 100644 --- a/prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py +++ b/prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py @@ -9,14 +9,14 @@ class vpc_flow_logs_enabled(Check): report = Check_Report_AWS(self.metadata()) report.region = vpc.region report.resource_tags = vpc.tags + report.resource_id = vpc.id + report.resource_arn = vpc.arn + report.status = "FAIL" + report.status_extended = f"VPC {vpc.id} Flow logs are disabled." if vpc.flow_log: report.status = "PASS" report.status_extended = f"VPC {vpc.id} Flow logs are enabled." - report.resource_id = vpc.id - else: - report.status = "FAIL" - report.status_extended = f"VPC {vpc.id} Flow logs are disabled." - report.resource_id = vpc.id + findings.append(report) return findings diff --git a/prowler/providers/aws/services/vpc/vpc_peering_routing_tables_with_least_privilege/vpc_peering_routing_tables_with_least_privilege.py b/prowler/providers/aws/services/vpc/vpc_peering_routing_tables_with_least_privilege/vpc_peering_routing_tables_with_least_privilege.py index d283cd3d..a03e4d42 100644 --- a/prowler/providers/aws/services/vpc/vpc_peering_routing_tables_with_least_privilege/vpc_peering_routing_tables_with_least_privilege.py +++ b/prowler/providers/aws/services/vpc/vpc_peering_routing_tables_with_least_privilege/vpc_peering_routing_tables_with_least_privilege.py @@ -9,6 +9,12 @@ class vpc_peering_routing_tables_with_least_privilege(Check): report = Check_Report_AWS(self.metadata()) report.region = peer.region report.resource_tags = peer.tags + report.resource_id = peer.id + report.resource_arn = peer.arn + report.status = "PASS" + report.status_extended = ( + f"VPC Peering Connection {peer.id} comply with least privilege access." + ) comply = True # Check each cidr in the peering route table for route_table in peer.route_tables: @@ -22,11 +28,7 @@ class vpc_peering_routing_tables_with_least_privilege(Check): if not comply: report.status = "FAIL" report.status_extended = f"VPC Peering Connection {peer.id} does not comply with least privilege access since it accepts whole VPCs CIDR in its route tables." - report.resource_id = peer.id - else: - report.status = "PASS" - report.status_extended = f"VPC Peering Connection {peer.id} comply with least privilege access." - report.resource_id = peer.id + findings.append(report) return findings diff --git a/prowler/providers/aws/services/vpc/vpc_service.py b/prowler/providers/aws/services/vpc/vpc_service.py index 0f3cd7b8..d9f03ea5 100644 --- a/prowler/providers/aws/services/vpc/vpc_service.py +++ b/prowler/providers/aws/services/vpc/vpc_service.py @@ -16,6 +16,7 @@ class VPC: self.session = audit_info.audit_session self.audited_account = audit_info.audited_account self.audit_resources = audit_info.audit_resources + self.audited_partition = audit_info.audited_partition self.regional_clients = generate_regional_clients(self.service, audit_info) self.vpcs = {} self.vpc_peering_connections = [] @@ -54,10 +55,12 @@ class VPC: describe_vpcs_paginator = regional_client.get_paginator("describe_vpcs") for page in describe_vpcs_paginator.paginate(): for vpc in page["Vpcs"]: + arn = f"arn:{self.audited_partition}:ec2:{regional_client.region}:{self.audited_account}:vpc/{vpc['VpcId']}" if not self.audit_resources or ( - is_resource_filtered(vpc["VpcId"], self.audit_resources) + is_resource_filtered(arn, self.audit_resources) ): self.vpcs[vpc["VpcId"]] = VPCs( + arn=arn, id=vpc["VpcId"], default=vpc["IsDefault"], cidr_block=vpc["CidrBlock"], @@ -77,14 +80,14 @@ class VPC: ) for page in describe_vpc_peering_connections_paginator.paginate(): for conn in page["VpcPeeringConnections"]: + arn = f"arn:{self.audited_partition}:ec2:{regional_client.region}:{self.audited_account}:vpc-peering-connection/{conn['VpcPeeringConnectionId']}" if not self.audit_resources or ( - is_resource_filtered( - conn["VpcPeeringConnectionId"], self.audit_resources - ) + is_resource_filtered(arn, self.audit_resources) ): conn["AccepterVpcInfo"]["CidrBlock"] = None self.vpc_peering_connections.append( VpcPeeringConnection( + arn=arn, id=conn["VpcPeeringConnectionId"], accepter_vpc=conn["AccepterVpcInfo"]["VpcId"], accepter_cidr=conn["AccepterVpcInfo"].get("CidrBlock"), @@ -166,16 +169,16 @@ class VPC: ) for page in describe_vpc_endpoints_paginator.paginate(): for endpoint in page["VpcEndpoints"]: + arn = f"arn:{self.audited_partition}:ec2:{regional_client.region}:{self.audited_account}:vpc-endpoint/{endpoint['VpcEndpointId']}" if not self.audit_resources or ( - is_resource_filtered( - endpoint["VpcEndpointId"], self.audit_resources - ) + is_resource_filtered(arn, self.audit_resources) ): endpoint_policy = None if endpoint.get("PolicyDocument"): endpoint_policy = json.loads(endpoint["PolicyDocument"]) self.vpc_endpoints.append( VpcEndpoint( + arn=arn, id=endpoint["VpcEndpointId"], vpc_id=endpoint["VpcId"], state=endpoint["State"], @@ -199,13 +202,13 @@ class VPC: for page in describe_vpc_endpoint_services_paginator.paginate(): for endpoint in page["ServiceDetails"]: if endpoint["Owner"] != "amazon": + arn = f"arn:{self.audited_partition}:ec2:{regional_client.region}:{self.audited_account}:vpc-endpoint-service/{endpoint['ServiceId']}" if not self.audit_resources or ( - is_resource_filtered( - endpoint["ServiceId"], self.audit_resources - ) + is_resource_filtered(arn, self.audit_resources) ): self.vpc_endpoint_services.append( VpcEndpointService( + arn=arn, id=endpoint["ServiceId"], service=endpoint["ServiceName"], owner_id=endpoint["Owner"], @@ -245,7 +248,7 @@ class VPC: for page in describe_subnets_paginator.paginate(): for subnet in page["Subnets"]: if not self.audit_resources or ( - is_resource_filtered(subnet["SubnetId"], self.audit_resources) + is_resource_filtered(subnet["SubnetArn"], self.audit_resources) ): try: # Check the route table associated with the subnet to see if it's public @@ -285,6 +288,7 @@ class VPC: nat_gateway = True # Add it to to list of vpc_subnets and to the VPC object object = VpcSubnet( + arn=subnet["SubnetArn"], id=subnet["SubnetId"], default=subnet["DefaultForAz"], vpc_id=subnet["VpcId"], @@ -312,6 +316,7 @@ class VPC: class VpcSubnet(BaseModel): + arn: str id: str default: bool vpc_id: str @@ -325,6 +330,7 @@ class VpcSubnet(BaseModel): class VPCs(BaseModel): + arn: str id: str default: bool cidr_block: str @@ -340,6 +346,7 @@ class Route(BaseModel): class VpcPeeringConnection(BaseModel): + arn: str id: str accepter_vpc: str accepter_cidr: Optional[str] @@ -351,6 +358,7 @@ class VpcPeeringConnection(BaseModel): class VpcEndpoint(BaseModel): + arn: str id: str vpc_id: str state: str @@ -361,6 +369,7 @@ class VpcEndpoint(BaseModel): class VpcEndpointService(BaseModel): + arn: str id: str service: str owner_id: str diff --git a/prowler/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az.py b/prowler/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az.py index 395bafcd..d0f58a57 100644 --- a/prowler/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az.py +++ b/prowler/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az.py @@ -12,6 +12,7 @@ class vpc_subnet_different_az(Check): report.status = "FAIL" report.status_extended = f"VPC {vpc.id} has no subnets." report.resource_id = vpc.id + report.resource_arn = vpc.arn if vpc.subnets: availability_zone = None for subnet in vpc.subnets: diff --git a/prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py b/prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py index 97cd659d..0f61e4f1 100644 --- a/prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py +++ b/prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py @@ -11,7 +11,7 @@ class vpc_subnet_no_public_ip_by_default(Check): report.region = subnet.region report.resource_tags = subnet.tags report.resource_id = subnet.id - + report.resource_arn = subnet.arn if subnet.mapPublicIpOnLaunch: report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public.py b/prowler/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public.py index e920de0e..2b465574 100644 --- a/prowler/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public.py +++ b/prowler/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public.py @@ -12,6 +12,7 @@ class vpc_subnet_separate_private_public(Check): report.status = "FAIL" report.status_extended = f"VPC {vpc.id} has no subnets." report.resource_id = vpc.id + report.resource_arn = vpc.arn if vpc.subnets: public = False private = False diff --git a/prowler/providers/aws/services/workspaces/workspaces_service.py b/prowler/providers/aws/services/workspaces/workspaces_service.py index 610d61d8..d4202433 100644 --- a/prowler/providers/aws/services/workspaces/workspaces_service.py +++ b/prowler/providers/aws/services/workspaces/workspaces_service.py @@ -14,6 +14,8 @@ class WorkSpaces: self.service = "workspaces" self.session = audit_info.audit_session self.audit_resources = audit_info.audit_resources + self.audited_partition = audit_info.audited_partition + self.audited_account = audit_info.audited_account self.regional_clients = generate_regional_clients(self.service, audit_info) self.workspaces = [] self.__threading_call__(self.__describe_workspaces__) @@ -39,12 +41,12 @@ class WorkSpaces: ) for page in describe_workspaces_paginator.paginate(): for workspace in page["Workspaces"]: + arn = f"arn:{self.audited_partition}:workspaces:{regional_client.region}:{self.audited_account}:workspace/{workspace['WorkspaceId']}" if not self.audit_resources or ( - is_resource_filtered( - workspace["WorkspaceId"], self.audit_resources - ) + is_resource_filtered(arn, self.audit_resources) ): workspace_to_append = WorkSpace( + arn=arn, id=workspace.get("WorkspaceId"), region=regional_client.region, subnet_id=workspace.get("SubnetId"), diff --git a/tests/providers/aws/services/apigateway/apigateway_authorizers_enabled/apigateway_authorizers_enabled_test.py b/tests/providers/aws/services/apigateway/apigateway_authorizers_enabled/apigateway_authorizers_enabled_test.py index 432099d2..d569e658 100644 --- a/tests/providers/aws/services/apigateway/apigateway_authorizers_enabled/apigateway_authorizers_enabled_test.py +++ b/tests/providers/aws/services/apigateway/apigateway_authorizers_enabled/apigateway_authorizers_enabled_test.py @@ -120,7 +120,7 @@ class Test_apigateway_authorizers_enabled: assert result[0].resource_id == "test-rest-api" assert ( result[0].resource_arn - == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}" + == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}" ) @mock_apigateway @@ -161,5 +161,5 @@ class Test_apigateway_authorizers_enabled: assert result[0].resource_id == "test-rest-api" assert ( result[0].resource_arn - == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}" + == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}" ) diff --git a/tests/providers/aws/services/apigateway/apigateway_client_certificate_enabled/apigateway_client_certificate_enabled_test.py b/tests/providers/aws/services/apigateway/apigateway_client_certificate_enabled/apigateway_client_certificate_enabled_test.py index 25d21465..4cf96447 100644 --- a/tests/providers/aws/services/apigateway/apigateway_client_certificate_enabled/apigateway_client_certificate_enabled_test.py +++ b/tests/providers/aws/services/apigateway/apigateway_client_certificate_enabled/apigateway_client_certificate_enabled_test.py @@ -130,7 +130,7 @@ class Test_apigateway_client_certificate_enabled: assert result[0].resource_id == "test-rest-api" assert ( result[0].resource_arn - == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}/stages/test" + == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}/stages/test" ) @mock_apigateway @@ -162,7 +162,7 @@ class Test_apigateway_client_certificate_enabled: service_client.rest_apis[0].stages.append( Stage( name="test", - arn=f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/test-rest-api/stages/test", + arn=f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/test-rest-api/stages/test", logging=True, client_certificate=True, waf=True, @@ -181,5 +181,5 @@ class Test_apigateway_client_certificate_enabled: assert result[0].resource_id == "test-rest-api" assert ( result[0].resource_arn - == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/test-rest-api/stages/test" + == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/test-rest-api/stages/test" ) diff --git a/tests/providers/aws/services/apigateway/apigateway_endpoint_public/apigateway_endpoint_public_test.py b/tests/providers/aws/services/apigateway/apigateway_endpoint_public/apigateway_endpoint_public_test.py index 7fb4a3fe..5545235f 100644 --- a/tests/providers/aws/services/apigateway/apigateway_endpoint_public/apigateway_endpoint_public_test.py +++ b/tests/providers/aws/services/apigateway/apigateway_endpoint_public/apigateway_endpoint_public_test.py @@ -101,7 +101,7 @@ class Test_apigateway_endpoint_public: assert result[0].resource_id == "test-rest-api" assert ( result[0].resource_arn - == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}" + == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}" ) @mock_apigateway @@ -147,5 +147,5 @@ class Test_apigateway_endpoint_public: assert result[0].resource_id == "test-rest-api" assert ( result[0].resource_arn - == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}" + == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}" ) diff --git a/tests/providers/aws/services/apigateway/apigateway_logging_enabled/apigateway_logging_enabled_test.py b/tests/providers/aws/services/apigateway/apigateway_logging_enabled/apigateway_logging_enabled_test.py index 8ee3cb24..cbead893 100644 --- a/tests/providers/aws/services/apigateway/apigateway_logging_enabled/apigateway_logging_enabled_test.py +++ b/tests/providers/aws/services/apigateway/apigateway_logging_enabled/apigateway_logging_enabled_test.py @@ -133,7 +133,7 @@ class Test_apigateway_logging_enabled: assert result[0].resource_id == "test-rest-api" assert ( result[0].resource_arn - == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}/stages/test" + == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}/stages/test" ) @mock_apigateway @@ -202,5 +202,5 @@ class Test_apigateway_logging_enabled: assert result[0].resource_id == "test-rest-api" assert ( result[0].resource_arn - == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}/stages/test" + == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}/stages/test" ) diff --git a/tests/providers/aws/services/apigateway/apigateway_waf_acl_attached/apigateway_waf_acl_attached_test.py b/tests/providers/aws/services/apigateway/apigateway_waf_acl_attached/apigateway_waf_acl_attached_test.py index a823a21b..e9fc599d 100644 --- a/tests/providers/aws/services/apigateway/apigateway_waf_acl_attached/apigateway_waf_acl_attached_test.py +++ b/tests/providers/aws/services/apigateway/apigateway_waf_acl_attached/apigateway_waf_acl_attached_test.py @@ -139,7 +139,7 @@ class Test_apigateway_waf_acl_attached: assert result[0].resource_id == "test-rest-api" assert ( result[0].resource_arn - == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}/stages/test" + == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}/stages/test" ) @mock_apigateway @@ -208,5 +208,5 @@ class Test_apigateway_waf_acl_attached: assert result[0].resource_id == "test-rest-api" assert ( result[0].resource_arn - == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/apis/{rest_api['id']}/stages/test" + == f"arn:{current_audit_info.audited_partition}:apigateway:{AWS_REGION}::/restapis/{rest_api['id']}/stages/test" ) diff --git a/tests/providers/aws/services/glue/glue_database_connections_ssl_enabled/glue_database_connections_ssl_enabled_test.py b/tests/providers/aws/services/glue/glue_database_connections_ssl_enabled/glue_database_connections_ssl_enabled_test.py index 16a5388e..c38426a8 100644 --- a/tests/providers/aws/services/glue/glue_database_connections_ssl_enabled/glue_database_connections_ssl_enabled_test.py +++ b/tests/providers/aws/services/glue/glue_database_connections_ssl_enabled/glue_database_connections_ssl_enabled_test.py @@ -38,6 +38,7 @@ class Test_glue_database_connections_ssl_enabled: "CONNECTOR_CLASS_NAME": "test", }, region=AWS_REGION, + arn="arn_test", ) ] @@ -60,6 +61,7 @@ class Test_glue_database_connections_ssl_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" def test_glue_table_with_SSL(self): glue_client = mock.MagicMock @@ -75,6 +77,7 @@ class Test_glue_database_connections_ssl_enabled: "JDBC_ENFORCE_SSL": "true", }, region=AWS_REGION, + arn="arn_test", ) ] @@ -97,3 +100,4 @@ class Test_glue_database_connections_ssl_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" diff --git a/tests/providers/aws/services/glue/glue_development_endpoints_cloudwatch_logs_encryption_enabled/glue_development_endpoints_cloudwatch_logs_encryption_enabled_test.py b/tests/providers/aws/services/glue/glue_development_endpoints_cloudwatch_logs_encryption_enabled/glue_development_endpoints_cloudwatch_logs_encryption_enabled_test.py index 5978a631..72f0a25c 100644 --- a/tests/providers/aws/services/glue/glue_development_endpoints_cloudwatch_logs_encryption_enabled/glue_development_endpoints_cloudwatch_logs_encryption_enabled_test.py +++ b/tests/providers/aws/services/glue/glue_development_endpoints_cloudwatch_logs_encryption_enabled/glue_development_endpoints_cloudwatch_logs_encryption_enabled_test.py @@ -32,6 +32,7 @@ class Test_glue_development_endpoints_cloudwatch_logs_encryption_enabled: name="test", security="sec_config", region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [ @@ -64,6 +65,7 @@ class Test_glue_development_endpoints_cloudwatch_logs_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" def test_glue_unencrypted_endpoint(self): glue_client = mock.MagicMock @@ -72,6 +74,7 @@ class Test_glue_development_endpoints_cloudwatch_logs_encryption_enabled: name="test", security="sec_config", region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [ @@ -103,6 +106,7 @@ class Test_glue_development_endpoints_cloudwatch_logs_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" def test_glue_no_sec_configs(self): glue_client = mock.MagicMock @@ -111,6 +115,7 @@ class Test_glue_development_endpoints_cloudwatch_logs_encryption_enabled: name="test", security="sec_config", region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [] @@ -134,3 +139,4 @@ class Test_glue_development_endpoints_cloudwatch_logs_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" diff --git a/tests/providers/aws/services/glue/glue_development_endpoints_job_bookmark_encryption_enabled/glue_development_endpoints_job_bookmark_encryption_enabled_test.py b/tests/providers/aws/services/glue/glue_development_endpoints_job_bookmark_encryption_enabled/glue_development_endpoints_job_bookmark_encryption_enabled_test.py index 5f2026cf..1adbe40a 100644 --- a/tests/providers/aws/services/glue/glue_development_endpoints_job_bookmark_encryption_enabled/glue_development_endpoints_job_bookmark_encryption_enabled_test.py +++ b/tests/providers/aws/services/glue/glue_development_endpoints_job_bookmark_encryption_enabled/glue_development_endpoints_job_bookmark_encryption_enabled_test.py @@ -32,6 +32,7 @@ class Test_glue_development_endpoints_job_bookmark_encryption_enabled: name="test", security="sec_config", region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [ @@ -64,6 +65,7 @@ class Test_glue_development_endpoints_job_bookmark_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" def test_glue_unencrypted_endpoint(self): glue_client = mock.MagicMock @@ -72,6 +74,7 @@ class Test_glue_development_endpoints_job_bookmark_encryption_enabled: name="test", security="sec_config", region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [ @@ -103,6 +106,7 @@ class Test_glue_development_endpoints_job_bookmark_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" def test_glue_no_sec_configs(self): glue_client = mock.MagicMock @@ -111,6 +115,7 @@ class Test_glue_development_endpoints_job_bookmark_encryption_enabled: name="test", security="sec_config", region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [] @@ -134,3 +139,4 @@ class Test_glue_development_endpoints_job_bookmark_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" diff --git a/tests/providers/aws/services/glue/glue_development_endpoints_s3_encryption_enabled/glue_development_endpoints_s3_encryption_enabled_test.py b/tests/providers/aws/services/glue/glue_development_endpoints_s3_encryption_enabled/glue_development_endpoints_s3_encryption_enabled_test.py index 4ed18ea4..cc645f8c 100644 --- a/tests/providers/aws/services/glue/glue_development_endpoints_s3_encryption_enabled/glue_development_endpoints_s3_encryption_enabled_test.py +++ b/tests/providers/aws/services/glue/glue_development_endpoints_s3_encryption_enabled/glue_development_endpoints_s3_encryption_enabled_test.py @@ -32,6 +32,7 @@ class Test_glue_development_endpoints_s3_encryption_enabled: name="test", security="sec_config", region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [ @@ -64,6 +65,7 @@ class Test_glue_development_endpoints_s3_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" def test_glue_unencrypted_endpoint(self): glue_client = mock.MagicMock @@ -72,6 +74,7 @@ class Test_glue_development_endpoints_s3_encryption_enabled: name="test", security="sec_config", region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [ @@ -103,6 +106,7 @@ class Test_glue_development_endpoints_s3_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" def test_glue_no_sec_configs(self): glue_client = mock.MagicMock @@ -111,6 +115,7 @@ class Test_glue_development_endpoints_s3_encryption_enabled: name="test", security="sec_config", region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [] @@ -134,3 +139,4 @@ class Test_glue_development_endpoints_s3_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" diff --git a/tests/providers/aws/services/glue/glue_etl_jobs_amazon_s3_encryption_enabled/glue_etl_jobs_amazon_s3_encryption_enabled_test.py b/tests/providers/aws/services/glue/glue_etl_jobs_amazon_s3_encryption_enabled/glue_etl_jobs_amazon_s3_encryption_enabled_test.py index 53e8030f..922b66d9 100644 --- a/tests/providers/aws/services/glue/glue_etl_jobs_amazon_s3_encryption_enabled/glue_etl_jobs_amazon_s3_encryption_enabled_test.py +++ b/tests/providers/aws/services/glue/glue_etl_jobs_amazon_s3_encryption_enabled/glue_etl_jobs_amazon_s3_encryption_enabled_test.py @@ -33,6 +33,7 @@ class Test_glue_etl_jobs_amazon_s3_encryption_enabled: security="sec_config", arguments=None, region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [ @@ -65,6 +66,7 @@ class Test_glue_etl_jobs_amazon_s3_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" def test_glue_unencrypted_job(self): glue_client = mock.MagicMock @@ -74,6 +76,7 @@ class Test_glue_etl_jobs_amazon_s3_encryption_enabled: security="sec_config", arguments=None, region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [ @@ -105,6 +108,7 @@ class Test_glue_etl_jobs_amazon_s3_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" def test_glue_no_sec_configs(self): glue_client = mock.MagicMock @@ -113,6 +117,7 @@ class Test_glue_etl_jobs_amazon_s3_encryption_enabled: name="test", security="sec_config", region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [] @@ -136,6 +141,7 @@ class Test_glue_etl_jobs_amazon_s3_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" def test_glue_encrypted_job_with_argument(self): glue_client = mock.MagicMock @@ -148,6 +154,7 @@ class Test_glue_etl_jobs_amazon_s3_encryption_enabled: "--enable-job-insights": "false", }, region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [] @@ -171,3 +178,4 @@ class Test_glue_etl_jobs_amazon_s3_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" diff --git a/tests/providers/aws/services/glue/glue_etl_jobs_cloudwatch_logs_encryption_enabled/glue_etl_jobs_cloudwatch_logs_encryption_enabled_test.py b/tests/providers/aws/services/glue/glue_etl_jobs_cloudwatch_logs_encryption_enabled/glue_etl_jobs_cloudwatch_logs_encryption_enabled_test.py index 715b6f52..d6d7be32 100644 --- a/tests/providers/aws/services/glue/glue_etl_jobs_cloudwatch_logs_encryption_enabled/glue_etl_jobs_cloudwatch_logs_encryption_enabled_test.py +++ b/tests/providers/aws/services/glue/glue_etl_jobs_cloudwatch_logs_encryption_enabled/glue_etl_jobs_cloudwatch_logs_encryption_enabled_test.py @@ -33,6 +33,7 @@ class Test_glue_etl_jobs_cloudwatch_logs_encryption_enabled: security="sec_config", arguments=None, region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [ @@ -65,6 +66,7 @@ class Test_glue_etl_jobs_cloudwatch_logs_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" def test_glue_unencrypted_job(self): glue_client = mock.MagicMock @@ -74,6 +76,7 @@ class Test_glue_etl_jobs_cloudwatch_logs_encryption_enabled: security="sec_config", arguments=None, region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [ @@ -105,6 +108,7 @@ class Test_glue_etl_jobs_cloudwatch_logs_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" def test_glue_no_sec_configs(self): glue_client = mock.MagicMock @@ -113,6 +117,7 @@ class Test_glue_etl_jobs_cloudwatch_logs_encryption_enabled: name="test", security="sec_config", region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [] @@ -136,3 +141,4 @@ class Test_glue_etl_jobs_cloudwatch_logs_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" diff --git a/tests/providers/aws/services/glue/glue_etl_jobs_job_bookmark_encryption_enabled/glue_etl_jobs_job_bookmark_encryption_enabled_test.py b/tests/providers/aws/services/glue/glue_etl_jobs_job_bookmark_encryption_enabled/glue_etl_jobs_job_bookmark_encryption_enabled_test.py index 4f9b03d0..af74c7d0 100644 --- a/tests/providers/aws/services/glue/glue_etl_jobs_job_bookmark_encryption_enabled/glue_etl_jobs_job_bookmark_encryption_enabled_test.py +++ b/tests/providers/aws/services/glue/glue_etl_jobs_job_bookmark_encryption_enabled/glue_etl_jobs_job_bookmark_encryption_enabled_test.py @@ -33,6 +33,7 @@ class Test_glue_etl_jobs_job_bookmark_encryption_enabled: security="sec_config", arguments=None, region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [ @@ -65,6 +66,7 @@ class Test_glue_etl_jobs_job_bookmark_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" def test_glue_unencrypted_job(self): glue_client = mock.MagicMock @@ -74,6 +76,7 @@ class Test_glue_etl_jobs_job_bookmark_encryption_enabled: security="sec_config", arguments=None, region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [ @@ -105,6 +108,7 @@ class Test_glue_etl_jobs_job_bookmark_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" def test_glue_no_sec_configs(self): glue_client = mock.MagicMock @@ -113,6 +117,7 @@ class Test_glue_etl_jobs_job_bookmark_encryption_enabled: name="test", security="sec_config", region=AWS_REGION, + arn="arn_test", ) ] glue_client.security_configs = [] @@ -136,3 +141,4 @@ class Test_glue_etl_jobs_job_bookmark_encryption_enabled: result[0].status_extended, ) assert result[0].resource_id == "test" + assert result[0].resource_arn == "arn_test" diff --git a/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py b/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py index ed4daae4..2a8d9778 100644 --- a/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py +++ b/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py @@ -97,9 +97,11 @@ class Test_networkfirewall_in_all_vpc: cidr_block="192.168.0.0/16", flow_log=False, region=AWS_REGION, + arn="arn_test", subnets=[ VpcSubnet( id="subnet-123456789", + arn="arn_test", default=False, vpc_id=VPC_ID_PROTECTED, cidr_block="192.168.0.0/24", @@ -146,7 +148,7 @@ class Test_networkfirewall_in_all_vpc: assert result[0].region == AWS_REGION assert result[0].resource_id == VPC_ID_PROTECTED assert result[0].resource_tags == [] - assert result[0].resource_arn == "" + assert result[0].resource_arn == "arn_test" def test_vpcs_without_firewall(self): networkfirewall_client = mock.MagicMock @@ -161,9 +163,11 @@ class Test_networkfirewall_in_all_vpc: cidr_block="192.168.0.0/16", flow_log=False, region=AWS_REGION, + arn="arn_test", subnets=[ VpcSubnet( id="subnet-123456789", + arn="arn_test", default=False, vpc_id=VPC_ID_UNPROTECTED, cidr_block="192.168.0.0/24", @@ -210,7 +214,7 @@ class Test_networkfirewall_in_all_vpc: assert result[0].region == AWS_REGION assert result[0].resource_id == VPC_ID_UNPROTECTED assert result[0].resource_tags == [] - assert result[0].resource_arn == "" + assert result[0].resource_arn == "arn_test" def test_vpcs_with_and_without_firewall(self): networkfirewall_client = mock.MagicMock @@ -235,9 +239,11 @@ class Test_networkfirewall_in_all_vpc: cidr_block="192.168.0.0/16", flow_log=False, region=AWS_REGION, + arn="arn_test", subnets=[ VpcSubnet( id="subnet-123456789", + arn="arn_test", default=False, vpc_id=VPC_ID_UNPROTECTED, cidr_block="192.168.0.0/24", @@ -257,9 +263,11 @@ class Test_networkfirewall_in_all_vpc: cidr_block="192.168.0.0/16", flow_log=False, region=AWS_REGION, + arn="arn_test", subnets=[ VpcSubnet( id="subnet-123456789", + arn="arn_test", default=False, vpc_id=VPC_ID_PROTECTED, cidr_block="192.168.0.0/24", @@ -308,7 +316,7 @@ class Test_networkfirewall_in_all_vpc: assert r.region == AWS_REGION assert r.resource_id == VPC_ID_PROTECTED assert r.resource_tags == [] - assert r.resource_arn == "" + assert r.resource_arn == "arn_test" if r.resource_id == VPC_ID_UNPROTECTED: assert r.status == "FAIL" assert ( @@ -318,4 +326,4 @@ class Test_networkfirewall_in_all_vpc: assert r.region == AWS_REGION assert r.resource_id == VPC_ID_UNPROTECTED assert r.resource_tags == [] - assert r.resource_arn == "" + assert r.resource_arn == "arn_test" diff --git a/tests/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible_test.py b/tests/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible_test.py index 061d4086..e163ccdc 100644 --- a/tests/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible_test.py +++ b/tests/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible_test.py @@ -77,7 +77,12 @@ class Test_sqs_queues_not_publicly_accessible: sqs_client = mock.MagicMock sqs_client.queues = [] sqs_client.queues.append( - Queue(id=queue_id, region=AWS_REGION, policy=test_restricted_policy) + Queue( + id=queue_id, + region=AWS_REGION, + policy=test_restricted_policy, + arn="arn_test", + ) ) with mock.patch( "prowler.providers.aws.services.sqs.sqs_service.SQS", @@ -93,13 +98,18 @@ class Test_sqs_queues_not_publicly_accessible: assert result[0].status == "PASS" assert search("is not public", result[0].status_extended) assert result[0].resource_id == queue_id - assert result[0].resource_arn == "" + assert result[0].resource_arn == "arn_test" def test_queues_public(self): sqs_client = mock.MagicMock sqs_client.queues = [] sqs_client.queues.append( - Queue(id=queue_id, region=AWS_REGION, policy=test_public_policy) + Queue( + id=queue_id, + region=AWS_REGION, + policy=test_public_policy, + arn="arn_test", + ) ) with mock.patch( "prowler.providers.aws.services.sqs.sqs_service.SQS", @@ -115,14 +125,17 @@ class Test_sqs_queues_not_publicly_accessible: assert result[0].status == "FAIL" assert search("policy with public access", result[0].status_extended) assert result[0].resource_id == queue_id - assert result[0].resource_arn == "" + assert result[0].resource_arn == "arn_test" def test_queues_public_with_condition(self): sqs_client = mock.MagicMock sqs_client.queues = [] sqs_client.queues.append( Queue( - id=queue_id, region=AWS_REGION, policy=test_public_policy_with_condition + id=queue_id, + region=AWS_REGION, + policy=test_public_policy_with_condition, + arn="arn_test", ) ) with mock.patch( @@ -142,4 +155,4 @@ class Test_sqs_queues_not_publicly_accessible: result[0].status_extended, ) assert result[0].resource_id == queue_id - assert result[0].resource_arn == "" + assert result[0].resource_arn == "arn_test" diff --git a/tests/providers/aws/services/sqs/sqs_queues_server_side_encryption_enabled/sqs_queues_server_side_encryption_enabled_test.py b/tests/providers/aws/services/sqs/sqs_queues_server_side_encryption_enabled/sqs_queues_server_side_encryption_enabled_test.py index caeb9f53..ff1f8808 100644 --- a/tests/providers/aws/services/sqs/sqs_queues_server_side_encryption_enabled/sqs_queues_server_side_encryption_enabled_test.py +++ b/tests/providers/aws/services/sqs/sqs_queues_server_side_encryption_enabled/sqs_queues_server_side_encryption_enabled_test.py @@ -32,7 +32,12 @@ class Test_sqs_queues_server_side_encryption_enabled: sqs_client = mock.MagicMock sqs_client.queues = [] sqs_client.queues.append( - Queue(id=queue_id, region=AWS_REGION, kms_key_id=test_kms_key_id) + Queue( + id=queue_id, + region=AWS_REGION, + kms_key_id=test_kms_key_id, + arn="arn_test", + ) ) with mock.patch( "prowler.providers.aws.services.sqs.sqs_service.SQS", @@ -48,7 +53,7 @@ class Test_sqs_queues_server_side_encryption_enabled: assert result[0].status == "PASS" assert search("is using Server Side Encryption", result[0].status_extended) assert result[0].resource_id == queue_id - assert result[0].resource_arn == "" + assert result[0].resource_arn == "arn_test" def test_queues_no_encryption(self): sqs_client = mock.MagicMock @@ -57,6 +62,7 @@ class Test_sqs_queues_server_side_encryption_enabled: Queue( id=queue_id, region=AWS_REGION, + arn="arn_test", ) ) with mock.patch( @@ -75,4 +81,4 @@ class Test_sqs_queues_server_side_encryption_enabled: "is not using Server Side Encryption", result[0].status_extended ) assert result[0].resource_id == queue_id - assert result[0].resource_arn == "" + assert result[0].resource_arn == "arn_test"