From 0745a57f52740c7243395530d9443fceb4ad59bd Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Tue, 3 Oct 2023 11:31:33 +0200 Subject: [PATCH] fix(findingID): remove duplicate finding IDs (#2890) --- .../iam_disable_30_days_credentials.py | 4 +-- .../iam_disable_45_days_credentials.py | 4 +-- .../iam_disable_90_days_credentials.py | 4 +-- ...ine_policy_no_administrative_privileges.py | 2 +- ..._policy_attached_only_to_group_or_roles.py | 4 +-- .../route53_dangling_ip_subdomain_takeover.py | 2 +- .../iam_disable_30_days_credentials_test.py | 8 +++--- .../iam_disable_45_days_credentials_test.py | 8 +++--- .../iam_disable_90_days_credentials_test.py | 8 +++--- ...olicy_no_administrative_privileges_test.py | 12 ++++----- ...cy_attached_only_to_group_or_roles_test.py | 8 +++--- ...e53_dangling_ip_subdomain_takeover_test.py | 25 +++++++++++++++---- 12 files changed, 52 insertions(+), 37 deletions(-) diff --git a/prowler/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py b/prowler/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py index b6b42045..9710f25c 100644 --- a/prowler/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py +++ b/prowler/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py @@ -67,7 +67,7 @@ class iam_disable_30_days_credentials(Check): old_access_keys = True report = Check_Report_AWS(self.metadata()) report.region = iam_client.region - report.resource_id = user["user"] + report.resource_id = user["user"] + "/AccessKey1" report.resource_arn = user["arn"] report.status = "FAIL" report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)." @@ -86,7 +86,7 @@ class iam_disable_30_days_credentials(Check): old_access_keys = True report = Check_Report_AWS(self.metadata()) report.region = iam_client.region - report.resource_id = user["user"] + report.resource_id = user["user"] + "/AccessKey2" report.resource_arn = user["arn"] report.status = "FAIL" report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)." diff --git a/prowler/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials.py b/prowler/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials.py index 42cfcd0c..48b94f35 100644 --- a/prowler/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials.py +++ b/prowler/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials.py @@ -67,7 +67,7 @@ class iam_disable_45_days_credentials(Check): old_access_keys = True report = Check_Report_AWS(self.metadata()) report.region = iam_client.region - report.resource_id = user["user"] + report.resource_id = user["user"] + "/AccessKey1" report.resource_arn = user["arn"] report.status = "FAIL" report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)." @@ -86,7 +86,7 @@ class iam_disable_45_days_credentials(Check): old_access_keys = True report = Check_Report_AWS(self.metadata()) report.region = iam_client.region - report.resource_id = user["user"] + report.resource_id = user["user"] + "/AccessKey2" report.resource_arn = user["arn"] report.status = "FAIL" report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)." diff --git a/prowler/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py b/prowler/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py index b7c66705..30a01463 100644 --- a/prowler/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py +++ b/prowler/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py @@ -67,7 +67,7 @@ class iam_disable_90_days_credentials(Check): old_access_keys = True report = Check_Report_AWS(self.metadata()) report.region = iam_client.region - report.resource_id = user["user"] + report.resource_id = user["user"] + "/AccessKey1" report.resource_arn = user["arn"] report.status = "FAIL" report.status_extended = f"User {user['user']} has not used access key 1 in the last {maximum_expiration_days} days ({access_key_1_last_used_date.days} days)." @@ -86,7 +86,7 @@ class iam_disable_90_days_credentials(Check): old_access_keys = True report = Check_Report_AWS(self.metadata()) report.region = iam_client.region - report.resource_id = user["user"] + report.resource_id = user["user"] + "/AccessKey2" report.resource_arn = user["arn"] report.status = "FAIL" report.status_extended = f"User {user['user']} has not used access key 2 in the last {maximum_expiration_days} days ({access_key_2_last_used_date.days} days)." diff --git a/prowler/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges.py b/prowler/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges.py index ca92514d..b0e4915f 100644 --- a/prowler/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges.py +++ b/prowler/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges.py @@ -10,7 +10,7 @@ class iam_inline_policy_no_administrative_privileges(Check): report = Check_Report_AWS(self.metadata()) report.region = iam_client.region report.resource_arn = policy.arn - report.resource_id = policy.entity + report.resource_id = f"{policy.entity}/{policy.name}" report.resource_tags = policy.tags report.status = "PASS" report.status_extended = f"{policy.type} policy {policy.name} for IAM identity {policy.arn} does not allow '*:*' administrative privileges." diff --git a/prowler/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles.py b/prowler/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles.py index 5cae3eff..96374713 100644 --- a/prowler/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles.py +++ b/prowler/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles.py @@ -14,7 +14,7 @@ class iam_policy_attached_only_to_group_or_roles(Check): report.region = iam_client.region report.status = "FAIL" report.status_extended = f"User {user.name} has the policy {policy['PolicyName']} attached." - report.resource_id = user.name + report.resource_id = f"{user.name}/{policy['PolicyName']}" report.resource_arn = user.arn findings.append(report) if user.inline_policies: @@ -23,7 +23,7 @@ class iam_policy_attached_only_to_group_or_roles(Check): report.region = iam_client.region report.status = "FAIL" report.status_extended = f"User {user.name} has the inline policy {policy} attached." - report.resource_id = user.name + report.resource_id = f"{user.name}/{policy}" report.resource_arn = user.arn findings.append(report) diff --git a/prowler/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover.py b/prowler/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover.py index 1ef5b62f..5e803ef6 100644 --- a/prowler/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover.py +++ b/prowler/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover.py @@ -25,7 +25,7 @@ class route53_dangling_ip_subdomain_takeover(Check): # Check if record is an IP Address if validate_ip_address(record): report = Check_Report_AWS(self.metadata()) - report.resource_id = record_set.hosted_zone_id + report.resource_id = f"{record_set.hosted_zone_id}/{record}" report.resource_arn = route53_client.hosted_zones[ record_set.hosted_zone_id ].arn diff --git a/tests/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials_test.py b/tests/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials_test.py index 573efc5c..6aa9bab4 100644 --- a/tests/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials_test.py +++ b/tests/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials_test.py @@ -275,7 +275,7 @@ class Test_iam_disable_30_days_credentials_test: result[1].status_extended == f"User {user} has not used access key 1 in the last 30 days (100 days)." ) - assert result[1].resource_id == user + assert result[1].resource_id == user + "/AccessKey1" assert result[1].resource_arn == arn assert result[1].region == AWS_REGION @@ -325,7 +325,7 @@ class Test_iam_disable_30_days_credentials_test: result[1].status_extended == f"User {user} has not used access key 2 in the last 30 days (100 days)." ) - assert result[1].resource_id == user + assert result[1].resource_id == user + "/AccessKey2" assert result[1].resource_arn == arn assert result[1].region == AWS_REGION @@ -380,7 +380,7 @@ class Test_iam_disable_30_days_credentials_test: result[1].status_extended == f"User {user} has not used access key 1 in the last 30 days (100 days)." ) - assert result[1].resource_id == user + assert result[1].resource_id == user + "/AccessKey1" assert result[1].resource_arn == arn assert result[1].region == AWS_REGION @@ -389,7 +389,7 @@ class Test_iam_disable_30_days_credentials_test: result[2].status_extended == f"User {user} has not used access key 2 in the last 30 days (100 days)." ) - assert result[2].resource_id == user + assert result[2].resource_id == user + "/AccessKey2" assert result[2].resource_arn == arn assert result[2].region == AWS_REGION diff --git a/tests/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials_test.py b/tests/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials_test.py index 10ae4c3e..c4834d5f 100644 --- a/tests/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials_test.py +++ b/tests/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials_test.py @@ -275,7 +275,7 @@ class Test_iam_disable_45_days_credentials_test: result[1].status_extended == f"User {user} has not used access key 1 in the last 45 days (100 days)." ) - assert result[1].resource_id == user + assert result[1].resource_id == user + "/AccessKey1" assert result[1].resource_arn == arn assert result[1].region == AWS_REGION @@ -325,7 +325,7 @@ class Test_iam_disable_45_days_credentials_test: result[1].status_extended == f"User {user} has not used access key 2 in the last 45 days (100 days)." ) - assert result[1].resource_id == user + assert result[1].resource_id == user + "/AccessKey2" assert result[1].resource_arn == arn assert result[1].region == AWS_REGION @@ -380,7 +380,7 @@ class Test_iam_disable_45_days_credentials_test: result[1].status_extended == f"User {user} has not used access key 1 in the last 45 days (100 days)." ) - assert result[1].resource_id == user + assert result[1].resource_id == user + "/AccessKey1" assert result[1].resource_arn == arn assert result[1].region == AWS_REGION assert result[2].status == "FAIL" @@ -388,7 +388,7 @@ class Test_iam_disable_45_days_credentials_test: result[2].status_extended == f"User {user} has not used access key 2 in the last 45 days (100 days)." ) - assert result[2].resource_id == user + assert result[2].resource_id == user + "/AccessKey2" assert result[2].resource_arn == arn assert result[2].region == AWS_REGION diff --git a/tests/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials_test.py b/tests/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials_test.py index 39296afe..f28d316b 100644 --- a/tests/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials_test.py +++ b/tests/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials_test.py @@ -273,7 +273,7 @@ class Test_iam_disable_90_days_credentials_test: result[1].status_extended == f"User {user} has not used access key 1 in the last 90 days (100 days)." ) - assert result[1].resource_id == user + assert result[1].resource_id == user + "/AccessKey1" assert result[1].resource_arn == arn assert result[1].region == AWS_REGION @@ -323,7 +323,7 @@ class Test_iam_disable_90_days_credentials_test: result[1].status_extended == f"User {user} has not used access key 2 in the last 90 days (100 days)." ) - assert result[1].resource_id == user + assert result[1].resource_id == user + "/AccessKey2" assert result[1].resource_arn == arn assert result[1].region == AWS_REGION @@ -378,7 +378,7 @@ class Test_iam_disable_90_days_credentials_test: result[1].status_extended == f"User {user} has not used access key 1 in the last 90 days (100 days)." ) - assert result[1].resource_id == user + assert result[1].resource_id == user + "/AccessKey1" assert result[1].resource_arn == arn assert result[1].region == AWS_REGION assert result[2].status == "FAIL" @@ -386,7 +386,7 @@ class Test_iam_disable_90_days_credentials_test: result[2].status_extended == f"User {user} has not used access key 2 in the last 90 days (100 days)." ) - assert result[2].resource_id == user + assert result[2].resource_id == user + "/AccessKey2" assert result[2].resource_arn == arn assert result[2].region == AWS_REGION diff --git a/tests/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges_test.py b/tests/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges_test.py index 4e9566e1..f60b0f74 100644 --- a/tests/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges_test.py +++ b/tests/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges_test.py @@ -128,7 +128,7 @@ class Test_iam_inline_policy_no_administrative_privileges: assert len(results) == 1 assert results[0].region == AWS_REGION assert results[0].resource_arn == group_arn - assert results[0].resource_id == group_name + assert results[0].resource_id == f"{group_name}/{policy_name}" assert results[0].resource_tags == [] assert results[0].status == "FAIL" assert ( @@ -172,7 +172,7 @@ class Test_iam_inline_policy_no_administrative_privileges: assert len(results) == 1 assert results[0].region == AWS_REGION assert results[0].resource_arn == group_arn - assert results[0].resource_id == group_name + assert results[0].resource_id == f"{group_name}/{policy_name}" assert results[0].resource_tags == [] assert results[0].status == "PASS" assert ( @@ -316,7 +316,7 @@ class Test_iam_inline_policy_no_administrative_privileges: assert len(results) == 1 assert results[0].region == AWS_REGION assert results[0].resource_arn == role_arn - assert results[0].resource_id == role_name + assert results[0].resource_id == f"{role_name}/{policy_name}" assert results[0].resource_tags == [] assert results[0].status == "FAIL" assert ( @@ -363,7 +363,7 @@ class Test_iam_inline_policy_no_administrative_privileges: assert len(results) == 1 assert results[0].region == AWS_REGION assert results[0].resource_arn == role_arn - assert results[0].resource_id == role_name + assert results[0].resource_id == f"{role_name}/{policy_name}" assert results[0].resource_tags == [] assert results[0].status == "PASS" assert ( @@ -507,7 +507,7 @@ class Test_iam_inline_policy_no_administrative_privileges: assert len(results) == 1 assert results[0].region == AWS_REGION assert results[0].resource_arn == user_arn - assert results[0].resource_id == user_name + assert results[0].resource_id == f"{user_name}/{policy_name}" assert results[0].resource_tags == [] assert results[0].status == "FAIL" assert ( @@ -553,7 +553,7 @@ class Test_iam_inline_policy_no_administrative_privileges: assert len(results) == 1 assert results[0].region == AWS_REGION assert results[0].resource_arn == user_arn - assert results[0].resource_id == user_name + assert results[0].resource_id == f"{user_name}/{policy_name}" assert results[0].resource_tags == [] assert results[0].status == "PASS" assert ( diff --git a/tests/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles_test.py b/tests/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles_test.py index f739c1c4..ef45039a 100644 --- a/tests/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles_test.py +++ b/tests/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles_test.py @@ -83,7 +83,7 @@ class Test_iam_policy_attached_only_to_group_or_roles: == f"User {user} has the policy {policy_name} attached." ) assert result[0].region == AWS_REGION - assert result[0].resource_id == user + assert result[0].resource_id == f"{user}/{policy_name}" assert ( result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:user/{user}" @@ -133,7 +133,7 @@ class Test_iam_policy_attached_only_to_group_or_roles: == f"User {user} has the policy {policyName} attached." ) assert result[0].region == AWS_REGION - assert result[0].resource_id == user + assert result[0].resource_id == f"{user}/{policyName}" assert result[0].status == "FAIL" assert ( @@ -141,7 +141,7 @@ class Test_iam_policy_attached_only_to_group_or_roles: == f"User {user} has the policy {policyName} attached." ) assert result[0].region == AWS_REGION - assert result[0].resource_id == user + assert result[0].resource_id == f"{user}/{policyName}" assert ( result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:user/{user}" @@ -186,7 +186,7 @@ class Test_iam_policy_attached_only_to_group_or_roles: == f"User {user} has the inline policy {policyName} attached." ) assert result[0].region == AWS_REGION - assert result[0].resource_id == user + assert result[0].resource_id == f"{user}/{policyName}" assert ( result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:user/{user}" diff --git a/tests/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover_test.py b/tests/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover_test.py index 79d47d3e..c2910341 100644 --- a/tests/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover_test.py +++ b/tests/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover_test.py @@ -165,7 +165,10 @@ class Test_route53_dangling_ip_subdomain_takeover: "is not a dangling IP", result[0].status_extended, ) - assert result[0].resource_id == zone_id.replace("/hostedzone/", "") + assert ( + result[0].resource_id + == zone_id.replace("/hostedzone/", "") + "/192.168.1.1" + ) assert ( result[0].resource_arn == f"arn:{audit_info.audited_partition}:route53:::hostedzone/{zone_id.replace('/hostedzone/','')}" @@ -226,7 +229,10 @@ class Test_route53_dangling_ip_subdomain_takeover: "does not belong to AWS and it is not a dangling IP", result[0].status_extended, ) - assert result[0].resource_id == zone_id.replace("/hostedzone/", "") + assert ( + result[0].resource_id + == zone_id.replace("/hostedzone/", "") + "/17.5.7.3" + ) assert ( result[0].resource_arn == f"arn:{audit_info.audited_partition}:route53:::hostedzone/{zone_id.replace('/hostedzone/','')}" @@ -287,7 +293,10 @@ class Test_route53_dangling_ip_subdomain_takeover: "is a dangling IP", result[0].status_extended, ) - assert result[0].resource_id == zone_id.replace("/hostedzone/", "") + assert ( + result[0].resource_id + == zone_id.replace("/hostedzone/", "") + "/54.152.12.70" + ) assert ( result[0].resource_arn == f"arn:{audit_info.audited_partition}:route53:::hostedzone/{zone_id.replace('/hostedzone/','')}" @@ -351,7 +360,10 @@ class Test_route53_dangling_ip_subdomain_takeover: "is not a dangling IP", result[0].status_extended, ) - assert result[0].resource_id == zone_id.replace("/hostedzone/", "") + assert ( + result[0].resource_id + == zone_id.replace("/hostedzone/", "") + "/17.5.7.3" + ) assert ( result[0].resource_arn == f"arn:{audit_info.audited_partition}:route53:::hostedzone/{zone_id.replace('/hostedzone/','')}" @@ -421,7 +433,10 @@ class Test_route53_dangling_ip_subdomain_takeover: "is not a dangling IP", result[0].status_extended, ) - assert result[0].resource_id == zone_id.replace("/hostedzone/", "") + assert ( + result[0].resource_id + == zone_id.replace("/hostedzone/", "") + "/17.5.7.3" + ) assert ( result[0].resource_arn == f"arn:{audit_info.audited_partition}:route53:::hostedzone/{zone_id.replace('/hostedzone/','')}"