fix(emr): solve emr_cluster_publicly_accesible error (#2086)

2026-02-10 14:55:00 +00:00 · 2023-03-14 13:10:21 +01:00
parent f48a5c650d
commit 2d1c3d8121
2 changed files with 91 additions and 2 deletions
--- a/prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.py
+++ b/prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.py
@@ -32,7 +32,10 @@ class emr_cluster_publicly_accesible(Check):
                    master_node_sg_groups = deepcopy(
                        cluster.master.additional_security_groups_id
                    )
-                    master_node_sg_groups.append(cluster.master.security_group_id)
+                    if master_node_sg_groups:
+                        master_node_sg_groups.append(cluster.master.security_group_id)
+                    else:
+                        master_node_sg_groups = [cluster.master.security_group_id]

                    master_public_security_groups = []
                    for master_sg in master_node_sg_groups:
@@ -51,7 +54,10 @@ class emr_cluster_publicly_accesible(Check):
                    slave_node_sg_groups = deepcopy(
                        cluster.slave.additional_security_groups_id
                    )
-                    slave_node_sg_groups.append(cluster.slave.security_group_id)
+                    if slave_node_sg_groups:
+                        slave_node_sg_groups.append(cluster.slave.security_group_id)
+                    else:
+                        slave_node_sg_groups = [cluster.slave.security_group_id]

                    slave_public_security_groups = []
                    for slave_sg in slave_node_sg_groups:
--- a/tests/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible_test.py
+++ b/tests/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible_test.py
@@ -361,3 +361,86 @@ class Test_emr_cluster_publicly_accesible:
                result[0].status_extended
                == f"EMR Cluster {cluster_id} is publicly accessible through the following Security Groups: Master Node {master_expected_public_sgs}"
            )
+
+    @mock_ec2
+    def test_clusters_master_private_slave_public_sg_none_additional_sgs(self):
+        # EC2 Client
+        ec2 = resource("ec2", AWS_REGION)
+        # Create Master Security Group
+        master_security_group = ec2.create_security_group(
+            GroupName=str(uuid4()), Description="test-decurity-group"
+        )
+        master_security_group.authorize_ingress(
+            IpProtocol="tcp",
+            FromPort=0,
+            ToPort=65535,
+            CidrIp="10.0.0.0/8",
+        )
+
+        # Create Slave Security Group
+        slave_security_group = ec2.create_security_group(
+            GroupName=str(uuid4()), Description="test-decurity-group"
+        )
+        slave_security_group.authorize_ingress(
+            IpProtocol="tcp",
+            FromPort=0,
+            ToPort=65535,
+            CidrIp="0.0.0.0/0",
+        )
+
+        # EMR Client
+        emr_client = mock.MagicMock
+        cluster_name = "test-cluster"
+        cluster_id = "j-XWO1UKVCC6FCV"
+        cluster_arn = f"arn:aws:elasticmapreduce:{AWS_REGION}:{DEFAULT_ACCOUNT_ID}:cluster/{cluster_name}"
+        emr_client.clusters = {
+            "test-cluster": Cluster(
+                id=cluster_id,
+                arn=cluster_arn,
+                name=cluster_name,
+                status=ClusterStatus.RUNNING,
+                region=AWS_REGION,
+                master_public_dns_name="test.amazonaws.com",
+                public=True,
+                master=Node(
+                    security_group_id=master_security_group.id,
+                    additional_security_groups_id=None,
+                ),
+                slave=Node(
+                    security_group_id=slave_security_group.id,
+                    additional_security_groups_id=None,
+                ),
+            )
+        }
+
+        slave_expected_public_sgs = [slave_security_group.id]
+
+        from prowler.providers.aws.services.ec2.ec2_service import EC2
+
+        with mock.patch(
+            "prowler.providers.aws.services.emr.emr_service.EMR",
+            new=emr_client,
+        ), mock.patch(
+            "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
+            self.set_mocked_audit_info(),
+        ), mock.patch(
+            "prowler.providers.aws.services.emr.emr_cluster_publicly_accesible.emr_cluster_publicly_accesible.ec2_client",
+            new=EC2(self.set_mocked_audit_info()),
+        ):
+            # Test Check
+            from prowler.providers.aws.services.emr.emr_cluster_publicly_accesible.emr_cluster_publicly_accesible import (
+                emr_cluster_publicly_accesible,
+            )
+
+            check = emr_cluster_publicly_accesible()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].region == AWS_REGION
+            assert result[0].resource_id == cluster_id
+            assert result[0].resource_arn == cluster_arn
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"EMR Cluster {cluster_id} is publicly accessible through the following Security Groups: Slaves Nodes {slave_expected_public_sgs}"
+            )