From 030ca4c1736de75e5645d90834a9ca367d295bad Mon Sep 17 00:00:00 2001 From: Gabriel Soltz Date: Wed, 3 May 2023 09:00:15 +0200 Subject: [PATCH] fix(backups): change severity and only check report_plans if plans exists (#2291) Co-authored-by: Pepe Fagoaga --- .../backup_plans_exist.metadata.json | 2 +- .../backup_plans_exist/backup_plans_exist.py | 6 ++- .../backup_reportplans_exist.py | 28 ++++++----- .../backup_vaults_exist.metadata.json | 2 +- .../backup_vaults_exist.py | 2 +- .../backup_plans_exist_test.py | 2 +- .../backup_reportplans_exist_test.py | 47 ++++++++++++++++++- .../backup_vaults_exist_test.py | 2 +- 8 files changed, 69 insertions(+), 22 deletions(-) diff --git a/prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.metadata.json b/prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.metadata.json index f0d3b790..1de6796d 100644 --- a/prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.metadata.json +++ b/prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.metadata.json @@ -10,7 +10,7 @@ "ServiceName": "backup", "SubServiceName": "", "ResourceIdTemplate": "arn:partition:service:region:account-id:backup-plan:backup-plan-id", - "Severity": "medium", + "Severity": "low", "ResourceType": "AwsBackupBackupPlan", "Description": "This check ensures that there is at least one backup plan in place.", "Risk": "Without a backup plan, an organization may be at risk of losing important data due to accidental deletion, system failures, or natural disasters. This can result in significant financial and reputational damage for the organization.", diff --git a/prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.py b/prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.py index 73ee6151..0e132a18 100644 --- a/prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.py +++ b/prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.py @@ -9,11 +9,13 @@ class backup_plans_exist(Check): report.status = "FAIL" report.status_extended = "No Backup Plan Exist" report.resource_arn = "" - report.resource_id = "No Backups" + report.resource_id = "Backups" report.region = backup_client.region if backup_client.backup_plans: report.status = "PASS" - report.status_extended = f"At least one backup plan exists: { backup_client.backup_plans[0].name}" + report.status_extended = ( + f"At least one backup plan exists: {backup_client.backup_plans[0].name}" + ) report.resource_arn = backup_client.backup_plans[0].arn report.resource_id = backup_client.backup_plans[0].name report.region = backup_client.backup_plans[0].region diff --git a/prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.py b/prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.py index 3138ab2b..b4196731 100644 --- a/prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.py +++ b/prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.py @@ -5,18 +5,20 @@ from prowler.providers.aws.services.backup.backup_client import backup_client class backup_reportplans_exist(Check): def execute(self): findings = [] - report = Check_Report_AWS(self.metadata()) - report.status = "FAIL" - report.status_extended = "No Backup Report Plan Exist" - report.resource_arn = "" - report.resource_id = "No Backups" - report.region = backup_client.region - if backup_client.backup_report_plans: - report.status = "PASS" - report.status_extended = f"At least one backup report plan exists: { backup_client.backup_report_plans[0].name}" - report.resource_arn = backup_client.backup_report_plans[0].arn - report.resource_id = backup_client.backup_report_plans[0].name - report.region = backup_client.backup_report_plans[0].region + # We only check report plans if backup plans exist, reducing noise + if backup_client.backup_plans: + report = Check_Report_AWS(self.metadata()) + report.status = "FAIL" + report.status_extended = "No Backup Report Plan Exist" + report.resource_arn = "" + report.resource_id = "Backups" + report.region = backup_client.region + if backup_client.backup_report_plans: + report.status = "PASS" + report.status_extended = f"At least one backup report plan exists: { backup_client.backup_report_plans[0].name}" + report.resource_arn = backup_client.backup_report_plans[0].arn + report.resource_id = backup_client.backup_report_plans[0].name + report.region = backup_client.backup_report_plans[0].region - findings.append(report) + findings.append(report) return findings diff --git a/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.metadata.json b/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.metadata.json index c25d2d0c..1bca95a6 100644 --- a/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.metadata.json +++ b/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.metadata.json @@ -10,7 +10,7 @@ "ServiceName": "backup", "SubServiceName": "", "ResourceIdTemplate": "arn:partition:service:region:account-id:backup-vault:backup-vault-id", - "Severity": "medium", + "Severity": "low", "ResourceType": "AwsBackupBackupVault", "Description": "This check ensures that AWS Backup vaults exist to provide a secure and durable storage location for backup data.", "Risk": "Without an AWS Backup vault, an organization's critical data may be at risk of being lost in the event of an accidental deletion, system failures, or natural disasters.", diff --git a/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py b/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py index d10d475e..6d09e7d6 100644 --- a/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py +++ b/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py @@ -9,7 +9,7 @@ class backup_vaults_exist(Check): report.status = "FAIL" report.status_extended = "No Backup Vault Exist" report.resource_arn = "" - report.resource_id = "No Backups" + report.resource_id = "Backups" report.region = backup_client.region if backup_client.backup_vaults: report.status = "PASS" diff --git a/tests/providers/aws/services/backup/backup_plans_exist/backup_plans_exist_test.py b/tests/providers/aws/services/backup/backup_plans_exist/backup_plans_exist_test.py index 7218a481..5bde33d4 100644 --- a/tests/providers/aws/services/backup/backup_plans_exist/backup_plans_exist_test.py +++ b/tests/providers/aws/services/backup/backup_plans_exist/backup_plans_exist_test.py @@ -26,7 +26,7 @@ class Test_backup_plans_exist: assert len(result) == 1 assert result[0].status == "FAIL" assert result[0].status_extended == "No Backup Plan Exist" - assert result[0].resource_id == "No Backups" + assert result[0].resource_id == "Backups" assert result[0].resource_arn == "" assert result[0].region == AWS_REGION diff --git a/tests/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist_test.py b/tests/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist_test.py index 9bdd58d4..d8cd2c0b 100644 --- a/tests/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist_test.py +++ b/tests/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist_test.py @@ -1,15 +1,47 @@ from datetime import datetime from unittest import mock -from prowler.providers.aws.services.backup.backup_service import BackupReportPlan +from prowler.providers.aws.services.backup.backup_service import ( + BackupPlan, + BackupReportPlan, +) AWS_REGION = "eu-west-1" class Test_backup_reportplans_exist: + def test_no_backup_plans(self): + backup_client = mock.MagicMock + backup_client.region = AWS_REGION + backup_client.backup_plans = [] + with mock.patch( + "prowler.providers.aws.services.backup.backup_service.Backup", + new=backup_client, + ): + # Test Check + from prowler.providers.aws.services.backup.backup_reportplans_exist.backup_reportplans_exist import ( + backup_reportplans_exist, + ) + + check = backup_reportplans_exist() + result = check.execute() + + assert len(result) == 0 + def test_no_backup_report_plans(self): backup_client = mock.MagicMock backup_client.region = AWS_REGION + backup_client.backup_plans = [ + BackupPlan( + arn="ARN", + id="MyBackupPlan", + region=AWS_REGION, + name="MyBackupPlan", + version_id="version_id", + last_execution_date=datetime(2015, 1, 1), + advanced_settings=[], + ) + ] backup_client.backup_report_plans = [] with mock.patch( "prowler.providers.aws.services.backup.backup_service.Backup", @@ -26,13 +58,24 @@ class Test_backup_reportplans_exist: assert len(result) == 1 assert result[0].status == "FAIL" assert result[0].status_extended == "No Backup Report Plan Exist" - assert result[0].resource_id == "No Backups" + assert result[0].resource_id == "Backups" assert result[0].resource_arn == "" assert result[0].region == AWS_REGION def test_one_backup_report_plan(self): backup_client = mock.MagicMock backup_client.region = AWS_REGION + backup_client.backup_plans = [ + BackupPlan( + arn="ARN", + id="MyBackupPlan", + region=AWS_REGION, + name="MyBackupPlan", + version_id="version_id", + last_execution_date=datetime(2015, 1, 1), + advanced_settings=[], + ) + ] backup_client.backup_report_plans = [ BackupReportPlan( arn="ARN", diff --git a/tests/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist_test.py b/tests/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist_test.py index 1f672e07..4b374e3e 100644 --- a/tests/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist_test.py +++ b/tests/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist_test.py @@ -25,7 +25,7 @@ class Test_backup_vaults_exist: assert len(result) == 1 assert result[0].status == "FAIL" assert result[0].status_extended == "No Backup Vault Exist" - assert result[0].resource_id == "No Backups" + assert result[0].resource_id == "Backups" assert result[0].resource_arn == "" assert result[0].region == AWS_REGION