chore(arn): include ARN of AWS accounts (#2477)

Co-authored-by: Pepe Fagoaga <pepe@verica.io>

prowler/providers/aws/lib/audit_info/audit_info.py

@@ -18,6 +18,7 @@ current_audit_info = AWS_Audit_Info(
         user_agent_extra=boto3_user_agent_extra,
     ),
     audited_account=None,
+    audited_account_arn=None,
     audited_user_id=None,
     audited_partition=None,
     audited_identity_arn=None,

prowler/providers/aws/lib/audit_info/models.py

@@ -37,6 +37,7 @@ class AWS_Audit_Info:
     # https://boto3.amazonaws.com/v1/documentation/api/latest/guide/retries.html
     session_config: Config
     audited_account: int
+    audited_account_arn: str
     audited_identity_arn: str
     audited_user_id: str
     audited_partition: str

prowler/providers/aws/services/account/account_maintain_current_contact_details/account_maintain_current_contact_details.py

@@ -9,6 +9,7 @@ class account_maintain_current_contact_details(Check):
         report = Check_Report_AWS(self.metadata())
         report.region = account_client.region
         report.resource_id = account_client.audited_account
+        report.resource_arn = account_client.audited_account_arn
         report.status = "INFO"
         report.status_extended = "Manual check: Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Contact Information."
         return [report]

prowler/providers/aws/services/account/account_security_contact_information_is_registered/account_security_contact_information_is_registered.py

@@ -9,6 +9,7 @@ class account_security_contact_information_is_registered(Check):
         report = Check_Report_AWS(self.metadata())
         report.region = account_client.region
         report.resource_id = account_client.audited_account
+        report.resource_arn = account_client.audited_account_arn
         report.status = "INFO"
         report.status_extended = "Manual check: Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Alternate Contacts -> Security Section."
         return [report]

prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account/account_security_questions_are_registered_in_the_aws_account.py

@@ -9,6 +9,7 @@ class account_security_questions_are_registered_in_the_aws_account(Check):
         report = Check_Report_AWS(self.metadata())
         report.region = account_client.region
         report.resource_id = account_client.audited_account
+        report.resource_arn = account_client.audited_account_arn
         report.status = "INFO"
         report.status_extended = "Manual check: Login to the AWS Console as root. Choose your account name on the top right of the window -> My Account -> Configure Security Challenge Questions."
         return [report]

prowler/providers/aws/services/account/account_service.py

@@ -7,6 +7,8 @@ class Account:
         self.service = "account"
         self.session = audit_info.audit_session
         self.audited_account = audit_info.audited_account
+        self.audited_partition = audit_info.audited_partition
+        self.audited_account_arn = audit_info.audited_account_arn
         self.regional_clients = generate_regional_clients(self.service, audit_info)
         # If the region is not set in the audit profile,
         # we pick the first region from the regional clients list

prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.py

@@ -8,8 +8,8 @@ class backup_plans_exist(Check):
         report = Check_Report_AWS(self.metadata())
         report.status = "FAIL"
         report.status_extended = "No Backup Plan Exist"
-        report.resource_arn = ""
-        report.resource_id = "Backups"
+        report.resource_arn = backup_client.audited_account_arn
+        report.resource_id = backup_client.audited_account
         report.region = backup_client.region
         if backup_client.backup_plans:
             report.status = "PASS"

prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.py

@@ -10,8 +10,8 @@ class backup_reportplans_exist(Check):
             report = Check_Report_AWS(self.metadata())
             report.status = "FAIL"
             report.status_extended = "No Backup Report Plan Exist"
-            report.resource_arn = ""
-            report.resource_id = "Backups"
+            report.resource_arn = backup_client.audited_account_arn
+            report.resource_id = backup_client.audited_account
             report.region = backup_client.region
             if backup_client.backup_report_plans:
                 report.status = "PASS"

prowler/providers/aws/services/backup/backup_service.py

@@ -15,6 +15,8 @@ class Backup:
         self.service = "backup"
         self.session = audit_info.audit_session
         self.audited_account = audit_info.audited_account
+        self.audited_partition = audit_info.audited_partition
+        self.audited_account_arn = audit_info.audited_account_arn
         self.audit_resources = audit_info.audit_resources
         self.regional_clients = generate_regional_clients(self.service, audit_info)
         # If the region is not set in the audit profile,

prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py

@@ -8,8 +8,8 @@ class backup_vaults_exist(Check):
         report = Check_Report_AWS(self.metadata())
         report.status = "FAIL"
         report.status_extended = "No Backup Vault Exist"
-        report.resource_arn = ""
-        report.resource_id = "Backups"
+        report.resource_arn = backup_client.audited_account_arn
+        report.resource_id = backup_client.audited_account
         report.region = backup_client.region
         if backup_client.backup_vaults:
             report.status = "PASS"

prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled.py

@@ -32,8 +32,8 @@ class cloudtrail_multi_region_enabled(Check):
                         report.status_extended = (
                             "No CloudTrail trails enabled and logging were found"
                         )
-                        report.resource_arn = "No trails"
-                        report.resource_id = "No trails"
+                        report.resource_arn = cloudtrail_client.audited_account_arn
+                        report.resource_id = cloudtrail_client.audited_account
             # If there are no trails logging it is needed to store the FAIL once all the trails have been checked
             if report.status == "FAIL":
                 findings.append(report)

prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.py

@@ -9,8 +9,8 @@ class cloudtrail_s3_dataevents_read_enabled(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.region = cloudtrail_client.region
-        report.resource_id = "No trails"
-        report.resource_arn = "No trails"
+        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_id = cloudtrail_client.audited_account
         report.status = "FAIL"
         report.status_extended = "No CloudTrail trails have a data event to record all S3 object-level API operations."
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.py

@@ -9,8 +9,8 @@ class cloudtrail_s3_dataevents_write_enabled(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.region = cloudtrail_client.region
-        report.resource_id = "No trails"
-        report.resource_arn = "No trails"
+        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_id = cloudtrail_client.audited_account
         report.status = "FAIL"
         report.status_extended = "No CloudTrail trails have a data event to record all S3 object-level API operations."
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/cloudtrail/cloudtrail_service.py

@@ -16,8 +16,9 @@ class Cloudtrail:
         self.service = "cloudtrail"
         self.session = audit_info.audit_session
         self.audited_account = audit_info.audited_account
-        self.audit_resources = audit_info.audit_resources
         self.audited_partition = audit_info.audited_partition
+        self.audited_account_arn = audit_info.audited_account_arn
+        self.audit_resources = audit_info.audit_resources
         self.regional_clients = generate_regional_clients(self.service, audit_info)
         # If the region is not set in the audit profile,
         # we pick the first region from the regional clients list

prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py

@@ -21,6 +21,7 @@ class cloudwatch_changes_to_network_acls_alarm_configured(Check):
         )
         report.region = cloudwatch_client.region
         report.resource_id = cloudtrail_client.audited_account
+        report.resource_arn = cloudtrail_client.audited_account_arn
         # 1. Iterate for CloudWatch Log Group in CloudTrail trails
         log_groups = []
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py

@@ -21,6 +21,7 @@ class cloudwatch_changes_to_network_gateways_alarm_configured(Check):
         )
         report.region = cloudwatch_client.region
         report.resource_id = cloudtrail_client.audited_account
+        report.resource_arn = cloudtrail_client.audited_account_arn
         # 1. Iterate for CloudWatch Log Group in CloudTrail trails
         log_groups = []
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py

@@ -21,6 +21,7 @@ class cloudwatch_changes_to_network_route_tables_alarm_configured(Check):
         )
         report.region = cloudwatch_client.region
         report.resource_id = cloudtrail_client.audited_account
+        report.resource_arn = cloudtrail_client.audited_account_arn
         # 1. Iterate for CloudWatch Log Group in CloudTrail trails
         log_groups = []
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py

@@ -21,6 +21,7 @@ class cloudwatch_changes_to_vpcs_alarm_configured(Check):
         )
         report.region = cloudwatch_client.region
         report.resource_id = cloudtrail_client.audited_account
+        report.resource_arn = cloudtrail_client.audited_account_arn
         # 1. Iterate for CloudWatch Log Group in CloudTrail trails
         log_groups = []
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.py

@@ -7,12 +7,14 @@ class cloudwatch_cross_account_sharing_disabled(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.status = "PASS"
-        report.status_extended = "CloudWatch doesn't allows cross-account sharing"
-        report.resource_id = "CloudWatch-CrossAccountSharingRole"
+        report.status_extended = "CloudWatch doesn't allow cross-account sharing"
+        report.resource_arn = iam_client.account_arn
+        report.resource_id = iam_client.account
         report.region = iam_client.region
         for role in iam_client.roles:
             if role.name == "CloudWatch-CrossAccountSharingRole":
                 report.resource_arn = role.arn
+                report.resource_id = role.name
                 report.status = "FAIL"
                 report.status_extended = "CloudWatch has allowed cross-account sharing."
         findings.append(report)

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py

@@ -23,6 +23,7 @@ class cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_change
         )
         report.region = cloudwatch_client.region
         report.resource_id = cloudtrail_client.audited_account
+        report.resource_arn = cloudtrail_client.audited_account_arn
         # 1. Iterate for CloudWatch Log Group in CloudTrail trails
         log_groups = []
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py

@@ -23,6 +23,7 @@ class cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_change
         )
         report.region = cloudwatch_client.region
         report.resource_id = cloudtrail_client.audited_account
+        report.resource_arn = cloudtrail_client.audited_account_arn
         # 1. Iterate for CloudWatch Log Group in CloudTrail trails
         log_groups = []
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py

@@ -21,6 +21,7 @@ class cloudwatch_log_metric_filter_authentication_failures(Check):
         )
         report.region = cloudwatch_client.region
         report.resource_id = cloudtrail_client.audited_account
+        report.resource_arn = cloudtrail_client.audited_account_arn
         # 1. Iterate for CloudWatch Log Group in CloudTrail trails
         log_groups = []
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py

@@ -21,6 +21,7 @@ class cloudwatch_log_metric_filter_aws_organizations_changes(Check):
         )
         report.region = cloudwatch_client.region
         report.resource_id = cloudtrail_client.audited_account
+        report.resource_arn = cloudtrail_client.audited_account_arn
         # 1. Iterate for CloudWatch Log Group in CloudTrail trails
         log_groups = []
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py

@@ -21,6 +21,7 @@ class cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk(Chec
         )
         report.region = cloudwatch_client.region
         report.resource_id = cloudtrail_client.audited_account
+        report.resource_arn = cloudtrail_client.audited_account_arn
         # 1. Iterate for CloudWatch Log Group in CloudTrail trails
         log_groups = []
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py

@@ -21,6 +21,7 @@ class cloudwatch_log_metric_filter_for_s3_bucket_policy_changes(Check):
         )
         report.region = cloudwatch_client.region
         report.resource_id = cloudtrail_client.audited_account
+        report.resource_arn = cloudtrail_client.audited_account_arn
         # 1. Iterate for CloudWatch Log Group in CloudTrail trails
         log_groups = []
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py

@@ -21,6 +21,7 @@ class cloudwatch_log_metric_filter_policy_changes(Check):
         )
         report.region = cloudwatch_client.region
         report.resource_id = cloudtrail_client.audited_account
+        report.resource_arn = cloudtrail_client.audited_account_arn
         # 1. Iterate for CloudWatch Log Group in CloudTrail trails
         log_groups = []
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py

@@ -21,6 +21,7 @@ class cloudwatch_log_metric_filter_root_usage(Check):
         )
         report.region = cloudwatch_client.region
         report.resource_id = cloudtrail_client.audited_account
+        report.resource_arn = cloudtrail_client.audited_account_arn
         # 1. Iterate for CloudWatch Log Group in CloudTrail trails
         log_groups = []
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py

@@ -21,6 +21,7 @@ class cloudwatch_log_metric_filter_security_group_changes(Check):
         )
         report.region = cloudwatch_client.region
         report.resource_id = cloudtrail_client.audited_account
+        report.resource_arn = cloudtrail_client.audited_account_arn
         # 1. Iterate for CloudWatch Log Group in CloudTrail trails
         log_groups = []
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py

@@ -21,6 +21,7 @@ class cloudwatch_log_metric_filter_sign_in_without_mfa(Check):
         )
         report.region = cloudwatch_client.region
         report.resource_id = cloudtrail_client.audited_account
+        report.resource_arn = cloudtrail_client.audited_account_arn
         # 1. Iterate for CloudWatch Log Group in CloudTrail trails
         log_groups = []
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py

@@ -21,6 +21,7 @@ class cloudwatch_log_metric_filter_unauthorized_api_calls(Check):
         )
         report.region = cloudwatch_client.region
         report.resource_id = cloudtrail_client.audited_account
+        report.resource_arn = cloudtrail_client.audited_account_arn
         # 1. Iterate for CloudWatch Log Group in CloudTrail trails
         log_groups = []
         for trail in cloudtrail_client.trails:

prowler/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled.py

@@ -8,7 +8,12 @@ class config_recorder_all_regions_enabled(Check):
         for recorder in config_client.recorders:
             report = Check_Report_AWS(self.metadata())
             report.region = recorder.region
-            report.resource_id = "" if not recorder.name else recorder.name
+            report.resource_arn = (
+                config_client.audited_account_arn
+            )  # Config Recorders do not have ARNs
+            report.resource_id = (
+                config_client.audited_account if not recorder.name else recorder.name
+            )
             # Check if Config is enabled in region
             if not recorder.name:
                 report.status = "FAIL"

prowler/providers/aws/services/config/config_service.py

@@ -14,6 +14,8 @@ class Config:
         self.service = "config"
         self.session = audit_info.audit_session
         self.audited_account = audit_info.audited_account
+        self.audited_partition = audit_info.audited_partition
+        self.audited_account_arn = audit_info.audited_account_arn
         self.audit_resources = audit_info.audit_resources
         self.regional_clients = generate_regional_clients(self.service, audit_info)
         self.recorders = []

prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.py

@@ -9,10 +9,10 @@ class drs_job_exist(Check):
             report = Check_Report_AWS(self.metadata())
             report.status = "FAIL"
             report.status_extended = "DRS is not enabled for this region."
-            report.resource_id = drs.id
             report.region = drs.region
             report.resource_tags = []
-            report.resource_arn = ""
+            report.resource_arn = drs_client.audited_account_arn
+            report.resource_id = drs_client.audited_account
             if drs.status == "ENABLED":
                 report.status_extended = "DRS is enabled for this region without jobs."
                 if drs.jobs:

prowler/providers/aws/services/drs/drs_service.py

@@ -16,6 +16,7 @@ class DRS:
         self.session = audit_info.audit_session
         self.audited_account = audit_info.audited_account
         self.audited_partition = audit_info.audited_partition
+        self.audited_account_arn = audit_info.audited_account_arn
         self.audit_resources = audit_info.audit_resources
         self.regional_clients = generate_regional_clients(self.service, audit_info)
         # If the region is not set in the audit profile,

prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption.py

@@ -8,7 +8,8 @@ class ec2_ebs_default_encryption(Check):
         for ebs_encryption in ec2_client.ebs_encryption_by_default:
             report = Check_Report_AWS(self.metadata())
             report.region = ebs_encryption.region
-            report.resource_id = "EBS Default Encryption"
+            report.resource_arn = ec2_client.audited_account_arn
+            report.resource_id = ec2_client.audited_account
             report.status = "FAIL"
             report.status_extended = "EBS Default Encryption is not activated."
             if ebs_encryption.status:

prowler/providers/aws/services/ec2/ec2_service.py

@@ -17,6 +17,7 @@ class EC2:
         self.session = audit_info.audit_session
         self.audited_partition = audit_info.audited_partition
         self.audited_account = audit_info.audited_account
+        self.audited_account_arn = audit_info.audited_account_arn
         self.audit_resources = audit_info.audit_resources
         self.regional_clients = generate_regional_clients(self.service, audit_info)
         self.instances = []

prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.py

@@ -9,7 +9,7 @@ class emr_cluster_account_public_block_enabled(Check):
             report = Check_Report_AWS(self.metadata())
             report.region = region
             report.resource_id = emr_client.audited_account
-
+            report.resource_arn = emr_client.audited_account_arn
             if emr_client.block_public_access_configuration[
                 region
             ].block_public_security_group_rules:

prowler/providers/aws/services/emr/emr_service.py

@@ -16,6 +16,8 @@ class EMR:
         self.service = "emr"
         self.session = audit_info.audit_session
         self.audited_account = audit_info.audited_account
+        self.audited_partition = audit_info.audited_partition
+        self.audited_account_arn = audit_info.audited_account_arn
         self.audit_resources = audit_info.audit_resources
         self.regional_clients = generate_regional_clients(self.service, audit_info)
         self.clusters = {}

prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py

@@ -7,8 +7,8 @@ class fms_policy_compliant(Check):
         findings = []
         if fms_client.fms_admin_account:
             report = Check_Report_AWS(self.metadata())
-            report.resource_id = "FMS"
-            report.resource_arn = ""
+            report.resource_arn = fms_client.audited_account_arn
+            report.resource_id = fms_client.audited_account
             report.region = fms_client.region
             report.status = "PASS"
             report.status_extended = "FMS enabled with all compliant accounts"

prowler/providers/aws/services/fms/fms_service.py

@@ -13,6 +13,7 @@ class FMS:
         self.session = audit_info.audit_session
         self.audited_account = audit_info.audited_account
         self.audited_partition = audit_info.audited_partition
+        self.audited_account_arn = audit_info.audited_account_arn
         self.audit_resources = audit_info.audit_resources
         global_client = generate_regional_clients(
             self.service, audit_info, global_service=True

prowler/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled.py

@@ -8,6 +8,7 @@ class glue_data_catalogs_connection_passwords_encryption_enabled(Check):
         for encryption in glue_client.catalog_encryption_settings:
             report = Check_Report_AWS(self.metadata())
             report.resource_id = glue_client.audited_account
+            report.resource_arn = glue_client.audited_account_arn
             report.region = encryption.region
             report.status = "FAIL"
             report.status_extended = (

prowler/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled.py

@@ -8,6 +8,7 @@ class glue_data_catalogs_metadata_encryption_enabled(Check):
         for encryption in glue_client.catalog_encryption_settings:
             report = Check_Report_AWS(self.metadata())
             report.resource_id = glue_client.audited_account
+            report.resource_arn = glue_client.audited_account_arn
             report.region = encryption.region
             report.status = "FAIL"
             report.status_extended = (

prowler/providers/aws/services/glue/glue_service.py

@@ -15,7 +15,8 @@ class Glue:
         self.session = audit_info.audit_session
         self.audited_account = audit_info.audited_account
         self.audit_resources = audit_info.audit_resources
-        self.audited_partition = audit_info.audited_account
+        self.audited_partition = audit_info.audited_partition
+        self.audited_account_arn = audit_info.audited_account_arn
         self.regional_clients = generate_regional_clients(self.service, audit_info)
         self.connections = []
         self.__threading_call__(self.__get_connections__)

prowler/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less.py

@@ -7,7 +7,8 @@ class iam_password_policy_expires_passwords_within_90_days_or_less(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.region = iam_client.region
-        report.resource_id = "password_policy"
+        report.resource_arn = iam_client.account_arn
+        report.resource_id = iam_client.account
         # Check if password policy exists
         if iam_client.password_policy:
             # Check if password policy expiration exists

prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase.py

@@ -7,7 +7,8 @@ class iam_password_policy_lowercase(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.region = iam_client.region
-        report.resource_id = "password_policy"
+        report.resource_arn = iam_client.account_arn
+        report.resource_id = iam_client.account
         # Check if password policy exists
         if iam_client.password_policy:
             # Check if lowercase flag is set

prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14.py

@@ -7,7 +7,8 @@ class iam_password_policy_minimum_length_14(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.region = iam_client.region
-        report.resource_id = "password_policy"
+        report.resource_arn = iam_client.account_arn
+        report.resource_id = iam_client.account
         # Check if password policy exists
         if iam_client.password_policy:
             # Check password policy length

prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number.py

@@ -7,7 +7,8 @@ class iam_password_policy_number(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.region = iam_client.region
-        report.resource_id = "password_policy"
+        report.resource_arn = iam_client.account_arn
+        report.resource_id = iam_client.account
         # Check if password policy exists
         if iam_client.password_policy:
             # Check if number flag is set

prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24.py

@@ -7,7 +7,8 @@ class iam_password_policy_reuse_24(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.region = iam_client.region
-        report.resource_id = "password_policy"
+        report.resource_arn = iam_client.account_arn
+        report.resource_id = iam_client.account
         # Check if password policy exists
         if iam_client.password_policy:
             # Check if reuse prevention flag is set

prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol.py

@@ -7,7 +7,8 @@ class iam_password_policy_symbol(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.region = iam_client.region
-        report.resource_id = "password_policy"
+        report.resource_arn = iam_client.account_arn
+        report.resource_id = iam_client.account
         # Check if password policy exists
         if iam_client.password_policy:
             # Check if symbol flag is set

prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase.py

@@ -7,7 +7,8 @@ class iam_password_policy_uppercase(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.region = iam_client.region
-        report.resource_id = "password_policy"
+        report.resource_arn = iam_client.account_arn
+        report.resource_id = iam_client.account
         # Check if password policy exists
         if iam_client.password_policy:
             # Check if uppercase flag is set

prowler/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py

@@ -11,8 +11,8 @@ class iam_root_hardware_mfa_enabled(Check):
                 virtual_mfa = False
                 report = Check_Report_AWS(self.metadata())
                 report.region = iam_client.region
-                report.resource_id = "root"
-                report.resource_arn = f"arn:aws:iam::{iam_client.account}:root"
+                report.resource_id = "<root_account>"
+                report.resource_arn = iam_client.account_arn
 
                 if iam_client.account_summary["SummaryMap"]["AccountMFAEnabled"] > 0:
                     virtual_mfas = iam_client.virtual_mfa_devices

prowler/providers/aws/services/iam/iam_service.py

@@ -54,6 +54,7 @@ class IAM:
         self.account = audit_info.audited_account
         self.audit_resources = audit_info.audit_resources
         self.partition = audit_info.audited_partition
+        self.account_arn = audit_info.audited_account_arn
         self.client = self.session.client(self.service)
         global_client = generate_regional_clients(
             self.service, audit_info, global_service=True

prowler/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist.py

@@ -11,8 +11,8 @@ class inspector2_findings_exist(Check):
             report = Check_Report_AWS(self.metadata())
             report.status = "FAIL"
             report.status_extended = "Inspector2 is not enabled."
-            report.resource_id = inspector.id
-            report.resource_arn = ""
+            report.resource_id = inspector2_client.audited_account
+            report.resource_arn = inspector2_client.audited_account_arn
             report.region = inspector.region
             if inspector.status == "ENABLED":
                 active_findings = 0

prowler/providers/aws/services/inspector2/inspector2_service.py

@@ -13,8 +13,9 @@ class Inspector2:
         self.service = "inspector2"
         self.session = audit_info.audit_session
         self.audited_account = audit_info.audited_account
-        self.audit_resources = audit_info.audit_resources
         self.audited_partition = audit_info.audited_partition
+        self.audited_account_arn = audit_info.audited_account_arn
+        self.audit_resources = audit_info.audit_resources
         self.regional_clients = generate_regional_clients(self.service, audit_info)
         # If the region is not set in the audit profile,
         # we pick the first region from the regional clients list

prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.py

@@ -8,7 +8,8 @@ class macie_is_enabled(Check):
         for session in macie_client.sessions:
             report = Check_Report_AWS(self.metadata())
             report.region = session.region
-            report.resource_id = "Macie"
+            report.resource_arn = macie_client.audited_account_arn
+            report.resource_id = macie_client.audited_account
             if session.status == "ENABLED":
                 report.status = "PASS"
                 report.status_extended = "Macie is enabled."

prowler/providers/aws/services/macie/macie_service.py

@@ -12,6 +12,8 @@ class Macie:
         self.service = "macie2"
         self.session = audit_info.audit_session
         self.audited_account = audit_info.audited_account
+        self.audited_partition = audit_info.audited_partition
+        self.audited_account_arn = audit_info.audited_account_arn
         self.regional_clients = generate_regional_clients(self.service, audit_info)
         self.sessions = []
         self.__threading_call__(self.__get_macie_session__)

prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py

@@ -13,6 +13,7 @@ class resourceexplorer2_indexes_found(Check):
         report.region = resource_explorer_2_client.region
         report.resource_arn = "NoResourceExplorer"
         report.resource_id = resource_explorer_2_client.audited_account
+        report.resource_arn = resource_explorer_2_client.audited_account_arn
         if resource_explorer_2_client.indexes:
             report.region = resource_explorer_2_client.indexes[0].region
             report.resource_arn = resource_explorer_2_client.indexes[0].arn

prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_service.py

@@ -14,6 +14,8 @@ class ResourceExplorer2:
         self.session = audit_info.audit_session
         self.audit_resources = audit_info.audit_resources
         self.audited_account = audit_info.audited_account
+        self.audited_partition = audit_info.audited_partition
+        self.audited_account_arn = audit_info.audited_account_arn
         self.regional_clients = generate_regional_clients(self.service, audit_info)
         # If the region is not set in the audit profile,
         # we pick the first region from the regional clients list

prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks.py

@@ -11,6 +11,7 @@ class s3_account_level_public_access_blocks(Check):
         report.status_extended = f"Block Public Access is not configured for the account {s3_client.audited_account}."
         report.region = s3control_client.region
         report.resource_id = s3_client.audited_account
+        report.resource_arn = s3_client.audited_account_arn
         if (
             s3control_client.account_public_access_block
             and s3control_client.account_public_access_block.ignore_public_acls

prowler/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access.py

@@ -17,6 +17,7 @@ class s3_bucket_public_access(Check):
             report.status_extended = "All S3 public access blocked at account level."
             report.region = s3control_client.region
             report.resource_id = s3_client.audited_account
+            report.resource_arn = s3_client.audited_account_arn
             findings.append(report)
         else:
             # 2. If public access is not blocked at account level, check it at each bucket level

prowler/providers/aws/services/s3/s3_service.py

@@ -19,6 +19,7 @@ class S3:
         self.audited_account = audit_info.audited_account
         self.audit_resources = audit_info.audit_resources
         self.audited_partition = audit_info.audited_partition
+        self.audited_account_arn = audit_info.audited_account_arn
         self.regional_clients = generate_regional_clients(self.service, audit_info)
         self.buckets = self.__list_buckets__(audit_info)
         self.__threading_call__(self.__get_bucket_versioning__)

prowler/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans.py

@@ -10,7 +10,8 @@ class ssmincidents_enabled_with_plans(Check):
         report = Check_Report_AWS(self.metadata())
         report.status = "FAIL"
         report.status_extended = "No SSM Incidents replication set exists."
-        report.resource_id = "SSMIncidents"
+        report.resource_arn = ssmincidents_client.audited_account_arn
+        report.resource_id = ssmincidents_client.audited_account
         report.region = ssmincidents_client.region
         if ssmincidents_client.replication_set:
             report.resource_arn = ssmincidents_client.replication_set[0].arn

prowler/providers/aws/services/ssmincidents/ssmincidents_service.py

@@ -21,6 +21,7 @@ class SSMIncidents:
         self.session = audit_info.audit_session
         self.audited_account = audit_info.audited_account
         self.audited_partition = audit_info.audited_partition
+        self.audited_account_arn = audit_info.audited_account_arn
         self.audit_resources = audit_info.audit_resources
         self.regional_clients = generate_regional_clients(self.service, audit_info)
         # If the region is not set in the audit profile,

prowler/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions.py

@@ -14,6 +14,7 @@ class vpc_different_regions(Check):
         # This is a global check under the vpc service: region, resource_id and tags are not relevant here but we keep them for consistency
         report.region = vpc_client.region
         report.resource_id = vpc_client.audited_account
+        report.resource_arn = vpc_client.audited_account_arn
         report.status = "FAIL"
         report.status_extended = "VPCs found only in one region"
         if len(vpc_regions) > 1:

prowler/providers/aws/services/vpc/vpc_service.py

@@ -17,6 +17,7 @@ class VPC:
         self.audited_account = audit_info.audited_account
         self.audit_resources = audit_info.audit_resources
         self.audited_partition = audit_info.audited_partition
+        self.audited_account_arn = audit_info.audited_account_arn
         self.regional_clients = generate_regional_clients(self.service, audit_info)
         self.vpcs = {}
         self.vpc_peering_connections = []

prowler/providers/common/audit_info.py

@@ -135,6 +135,7 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
         current_audit_info.audited_partition = parse_iam_credentials_arn(
             caller_identity["Arn"]
         ).partition
+        current_audit_info.audited_account_arn = f"arn:{current_audit_info.audited_partition}:iam::{current_audit_info.audited_account}:root"
 
         logger.info("Checking if organizations role assumption is needed ...")
         if organizations_role_arn:
@@ -214,6 +215,7 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
             current_audit_info.audit_session = assumed_session
             current_audit_info.audited_account = role_arn_parsed.account_id
             current_audit_info.audited_partition = role_arn_parsed.partition
+            current_audit_info.audited_account_arn = f"arn:{current_audit_info.audited_partition}:iam::{current_audit_info.audited_account}:root"
         else:
             logger.info("Audit session is the original one")
             current_audit_info.audit_session = current_audit_info.original_session

tests/lib/check/check_test.py

@@ -146,6 +146,7 @@ class Test_Check:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/lib/outputs/outputs_test.py

@@ -83,6 +83,7 @@ class Test_Outputs:
             original_session=None,
             audit_session=None,
             audited_account=AWS_ACCOUNT_ID,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:root",
             audited_identity_arn="test-arn",
             audited_user_id="test",
             audited_partition="aws",
@@ -355,6 +356,7 @@ class Test_Outputs:
     #         original_session=None,
     #         audit_session=None,
     #         audited_account=AWS_ACCOUNT_ID,
+    #         audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:root",
     #         audited_identity_arn="test-arn",
     #         audited_user_id="test",
     #         audited_partition="aws",
@@ -400,6 +402,7 @@ class Test_Outputs:
             original_session=None,
             audit_session=None,
             audited_account=AWS_ACCOUNT_ID,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:root",
             audited_identity_arn="test-arn",
             audited_user_id="test",
             audited_partition="aws",
@@ -475,6 +478,7 @@ class Test_Outputs:
             original_session=None,
             audit_session=session,
             audited_account=AWS_ACCOUNT_ID,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:root",
             audited_identity_arn="test-arn",
             audited_user_id="test",
             audited_partition="aws",
@@ -524,6 +528,7 @@ class Test_Outputs:
             original_session=None,
             audit_session=session,
             audited_account=AWS_ACCOUNT_ID,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:root",
             audited_identity_arn="test-arn",
             audited_user_id="test",
             audited_partition="aws",
@@ -580,6 +585,7 @@ class Test_Outputs:
             original_session=None,
             audit_session=session,
             audited_account=AWS_ACCOUNT_ID,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:root",
             audited_identity_arn="test-arn",
             audited_user_id="test",
             audited_partition="aws",
@@ -687,6 +693,7 @@ class Test_Outputs:
             original_session=None,
             audit_session=session,
             audited_account=AWS_ACCOUNT_ID,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:root",
             audited_identity_arn="test-arn",
             audited_user_id="test",
             audited_partition="aws",

tests/lib/outputs/slack_test.py

@@ -32,6 +32,7 @@ class Test_Slack_Integration:
             original_session=None,
             audit_session=None,
             audited_account=AWS_ACCOUNT_ID,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:root",
             audited_identity_arn="test-arn",
             audited_user_id="test",
             audited_partition="aws",

tests/providers/aws/aws_provider_test.py

@@ -44,6 +44,7 @@ class Test_AWS_Provider:
             original_session=session,
             audit_session=None,
             audited_account=None,
+            audited_account_arn=None,
             audited_partition=None,
             audited_identity_arn=None,
             audited_user_id=None,
@@ -103,6 +104,7 @@ class Test_AWS_Provider:
             original_session=None,
             audit_session=session,
             audited_account=None,
+            audited_account_arn=None,
             audited_partition="aws",
             audited_identity_arn=None,
             audited_user_id=None,
@@ -133,6 +135,7 @@ class Test_AWS_Provider:
             original_session=None,
             audit_session=session,
             audited_account=None,
+            audited_account_arn=None,
             audited_partition="aws",
             audited_identity_arn=None,
             audited_user_id=None,
@@ -162,6 +165,7 @@ class Test_AWS_Provider:
             original_session=None,
             audit_session=session,
             audited_account=None,
+            audited_account_arn=None,
             audited_partition="aws-cn",
             audited_identity_arn=None,
             audited_user_id=None,

tests/providers/aws/lib/allowlist/allowlist_test.py

@@ -26,6 +26,7 @@ class Test_Allowlist:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/accessanalyzer/accessanalyzer_service_test.py

@@ -79,6 +79,7 @@ class Test_AccessAnalyzer_Service:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/acm/acm_service_test.py

@@ -105,6 +105,7 @@ class Test_ACM_Service:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/apigateway/apigateway_authorizers_enabled/apigateway_authorizers_enabled_test.py

@@ -20,6 +20,7 @@ class Test_apigateway_authorizers_enabled:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/apigateway/apigateway_client_certificate_enabled/apigateway_client_certificate_enabled_test.py

@@ -20,6 +20,7 @@ class Test_apigateway_client_certificate_enabled:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/apigateway/apigateway_endpoint_public/apigateway_endpoint_public_test.py

@@ -19,6 +19,7 @@ class Test_apigateway_endpoint_public:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/apigateway/apigateway_logging_enabled/apigateway_logging_enabled_test.py

@@ -19,6 +19,7 @@ class Test_apigateway_logging_enabled:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/apigateway/apigateway_service_test.py

@@ -19,6 +19,7 @@ class Test_APIGateway_Service:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/apigateway/apigateway_waf_acl_attached/apigateway_waf_acl_attached_test.py

@@ -19,6 +19,7 @@ class Test_apigateway_waf_acl_attached:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/apigatewayv2/apigatewayv2_access_logging_enabled/apigatewayv2_access_logging_enabled_test.py

@@ -48,6 +48,7 @@ class Test_apigatewayv2_access_logging_enabled:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/apigatewayv2/apigatewayv2_authorizers_enabled/apigatewayv2_authorizers_enabled_test.py

@@ -48,6 +48,7 @@ class Test_apigatewayv2_authorizers_enabled:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/apigatewayv2/apigatewayv2_service_test.py

@@ -50,6 +50,7 @@ class Test_ApiGatewayV2_Service:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/appstream/appstream_service_test.py

@@ -72,6 +72,7 @@ class Test_AppStream_Service:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/autoscaling/autoscaling_find_secrets_ec2_launch_configuration/autoscaling_find_secrets_ec2_launch_configuration_test.py

@@ -19,6 +19,7 @@ class Test_autoscaling_find_secrets_ec2_launch_configuration:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/autoscaling/autoscaling_group_multiple_az/autoscaling_group_multiple_az_test.py

@@ -19,6 +19,7 @@ class Test_autoscaling_group_multiple_az:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/autoscaling/autoscaling_service_test.py

@@ -21,6 +21,7 @@ class Test_AutoScaling_Service:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled_test.py

@@ -34,6 +34,7 @@ class Test_awslambda_function_invoke_api_operations_cloudtrail_logging_enabled:
                 botocore_session=None,
             ),
             audited_account=None,
+            audited_account_arn=None,
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/awslambda/awslambda_service_test.py

@@ -76,6 +76,7 @@ class Test_Lambda_Service:
                 botocore_session=None,
             ),
             audited_account=DEFAULT_ACCOUNT_ID,
+            audited_account_arn=f"arn:aws:iam::{DEFAULT_ACCOUNT_ID}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/backup/backup_plans_exist/backup_plans_exist_test.py

@@ -4,11 +4,14 @@ from unittest import mock
 from prowler.providers.aws.services.backup.backup_service import BackupPlan
 
 AWS_REGION = "eu-west-1"
+AWS_ACCOUNT_NUMBER = "123456789012"
 
 
 class Test_backup_plans_exist:
     def test_no_backup_plans(self):
         backup_client = mock.MagicMock
+        backup_client.audited_account = AWS_ACCOUNT_NUMBER
+        backup_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
         backup_client.region = AWS_REGION
         backup_client.backup_plans = []
         with mock.patch(
@@ -26,12 +29,14 @@ class Test_backup_plans_exist:
             assert len(result) == 1
             assert result[0].status == "FAIL"
             assert result[0].status_extended == "No Backup Plan Exist"
-            assert result[0].resource_id == "Backups"
-            assert result[0].resource_arn == ""
+            assert result[0].resource_id == AWS_ACCOUNT_NUMBER
+            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
             assert result[0].region == AWS_REGION
 
     def test_one_backup_plan(self):
         backup_client = mock.MagicMock
+        backup_client.audited_account = AWS_ACCOUNT_NUMBER
+        backup_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
         backup_client.region = AWS_REGION
         backup_client.backup_plans = [
             BackupPlan(

tests/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist_test.py

@@ -7,6 +7,7 @@ from prowler.providers.aws.services.backup.backup_service import (
 )
 
 AWS_REGION = "eu-west-1"
+AWS_ACCOUNT_NUMBER = "123456789012"
 
 
 class Test_backup_reportplans_exist:
@@ -30,6 +31,8 @@ class Test_backup_reportplans_exist:
 
     def test_no_backup_report_plans(self):
         backup_client = mock.MagicMock
+        backup_client.audited_account = AWS_ACCOUNT_NUMBER
+        backup_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
         backup_client.region = AWS_REGION
         backup_client.backup_plans = [
             BackupPlan(
@@ -58,12 +61,14 @@ class Test_backup_reportplans_exist:
             assert len(result) == 1
             assert result[0].status == "FAIL"
             assert result[0].status_extended == "No Backup Report Plan Exist"
-            assert result[0].resource_id == "Backups"
-            assert result[0].resource_arn == ""
+            assert result[0].resource_id == AWS_ACCOUNT_NUMBER
+            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
             assert result[0].region == AWS_REGION
 
     def test_one_backup_report_plan(self):
         backup_client = mock.MagicMock
+        backup_client.audited_account = AWS_ACCOUNT_NUMBER
+        backup_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
         backup_client.region = AWS_REGION
         backup_client.backup_plans = [
             BackupPlan(

tests/providers/aws/services/backup/backup_service_test.py

@@ -72,7 +72,6 @@ def mock_generate_regional_clients(service, audit_info):
     new=mock_generate_regional_clients,
 )
 class Test_Backup_Service:
-
     # Mocked Audit Info
     def set_mocked_audit_info(self):
         audit_info = AWS_Audit_Info(
@@ -83,6 +82,7 @@ class Test_Backup_Service:
                 botocore_session=None,
             ),
             audited_account=None,
+            audited_account_arn=None,
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist_test.py

@@ -3,11 +3,14 @@ from unittest import mock
 from prowler.providers.aws.services.backup.backup_service import BackupVault
 
 AWS_REGION = "eu-west-1"
+AWS_ACCOUNT_NUMBER = "123456789012"
 
 
 class Test_backup_vaults_exist:
     def test_no_backup_vaults(self):
         backup_client = mock.MagicMock
+        backup_client.audited_account = AWS_ACCOUNT_NUMBER
+        backup_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
         backup_client.region = AWS_REGION
         backup_client.backup_vaults = []
         with mock.patch(
@@ -25,12 +28,14 @@ class Test_backup_vaults_exist:
             assert len(result) == 1
             assert result[0].status == "FAIL"
             assert result[0].status_extended == "No Backup Vault Exist"
-            assert result[0].resource_id == "Backups"
-            assert result[0].resource_arn == ""
+            assert result[0].resource_id == AWS_ACCOUNT_NUMBER
+            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
             assert result[0].region == AWS_REGION
 
     def test_one_backup_vault(self):
         backup_client = mock.MagicMock
+        backup_client.audited_account = AWS_ACCOUNT_NUMBER
+        backup_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
         backup_client.region = AWS_REGION
         backup_client.backup_vaults = [
             BackupVault(

tests/providers/aws/services/cloudformation/cloudformation_service_test.py

@@ -143,6 +143,7 @@ class Test_CloudFormation_Service:
                 botocore_session=None,
             ),
             audited_account=None,
+            audited_account_arn=None,
             audited_user_id=None,
             audited_partition=None,
             audited_identity_arn=None,

tests/providers/aws/services/cloudfront/cloudfront_service_test.py

@@ -164,6 +164,7 @@ class Test_CloudFront_Service:
                 region_name=AWS_REGION,
             ),
             audited_account=DEFAULT_ACCOUNT_ID,
+            audited_account_arn=f"arn:aws:iam::{DEFAULT_ACCOUNT_ID}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete_test.py

@@ -25,6 +25,7 @@ class Test_cloudtrail_bucket_requires_mfa_delete:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled_test.py

@@ -20,6 +20,7 @@ class Test_cloudtrail_cloudwatch_logging_enabled:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/cloudtrail/cloudtrail_insights_exist/cloudtrail_insights_exist_test.py

@@ -19,6 +19,7 @@ class Test_cloudtrail_insights_exist:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/cloudtrail/cloudtrail_kms_encryption_enabled/cloudtrail_kms_encryption_enabled_test.py

@@ -19,6 +19,7 @@ class Test_cloudtrail_kms_encryption_enabled:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/cloudtrail/cloudtrail_log_file_validation_enabled/cloudtrail_log_file_validation_enabled_test.py

@@ -19,6 +19,7 @@ class Test_cloudtrail_log_file_validation_enabled:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,

tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled_test.py

@@ -19,6 +19,7 @@ class Test_cloudtrail_logs_s3_bucket_access_logging_enabled:
                 botocore_session=None,
             ),
             audited_account=AWS_ACCOUNT_NUMBER,
+            audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
             audited_user_id=None,
             audited_partition="aws",
             audited_identity_arn=None,