From 38a7dc1a935fb8599014f33682f5d61e29e7374b Mon Sep 17 00:00:00 2001 From: Nacho Rivera Date: Thu, 31 Aug 2023 11:55:10 +0200 Subject: [PATCH] fix(ec2 ebs/instance checks): unify checks logic (#2795) --- .../ec2_ebs_public_snapshot.py | 10 ++++------ .../ec2_ebs_snapshots_encrypted.py | 9 ++++----- .../ec2_ebs_volume_encryption.py | 7 +++---- .../ec2_instance_managed_by_ssm.py | 12 +++++------- .../ec2_instance_public_ip/ec2_instance_public_ip.py | 12 ++++++------ 5 files changed, 22 insertions(+), 28 deletions(-) diff --git a/prowler/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot.py b/prowler/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot.py index 0b6d9390..156d505f 100644 --- a/prowler/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot.py +++ b/prowler/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot.py @@ -10,16 +10,14 @@ class ec2_ebs_public_snapshot(Check): report.region = snapshot.region report.resource_arn = snapshot.arn report.resource_tags = snapshot.tags - if not snapshot.public: - report.status = "PASS" - report.status_extended = f"EBS Snapshot {snapshot.id} is not Public." - report.resource_id = snapshot.id - else: + report.status = "PASS" + report.status_extended = f"EBS Snapshot {snapshot.id} is not Public." + report.resource_id = snapshot.id + if snapshot.public: report.status = "FAIL" report.status_extended = ( f"EBS Snapshot {snapshot.id} is currently Public." ) - report.resource_id = snapshot.id findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_ebs_snapshots_encrypted/ec2_ebs_snapshots_encrypted.py b/prowler/providers/aws/services/ec2/ec2_ebs_snapshots_encrypted/ec2_ebs_snapshots_encrypted.py index acd8885b..c308f4a9 100644 --- a/prowler/providers/aws/services/ec2/ec2_ebs_snapshots_encrypted/ec2_ebs_snapshots_encrypted.py +++ b/prowler/providers/aws/services/ec2/ec2_ebs_snapshots_encrypted/ec2_ebs_snapshots_encrypted.py @@ -10,11 +10,10 @@ class ec2_ebs_snapshots_encrypted(Check): report.region = snapshot.region report.resource_arn = snapshot.arn report.resource_tags = snapshot.tags - if snapshot.encrypted: - report.status = "PASS" - report.status_extended = f"EBS Snapshot {snapshot.id} is encrypted." - report.resource_id = snapshot.id - else: + report.status = "PASS" + report.status_extended = f"EBS Snapshot {snapshot.id} is encrypted." + report.resource_id = snapshot.id + if not snapshot.encrypted: report.status = "FAIL" report.status_extended = f"EBS Snapshot {snapshot.id} is unencrypted." report.resource_id = snapshot.id diff --git a/prowler/providers/aws/services/ec2/ec2_ebs_volume_encryption/ec2_ebs_volume_encryption.py b/prowler/providers/aws/services/ec2/ec2_ebs_volume_encryption/ec2_ebs_volume_encryption.py index e0dd419f..f05f8ebd 100644 --- a/prowler/providers/aws/services/ec2/ec2_ebs_volume_encryption/ec2_ebs_volume_encryption.py +++ b/prowler/providers/aws/services/ec2/ec2_ebs_volume_encryption/ec2_ebs_volume_encryption.py @@ -11,10 +11,9 @@ class ec2_ebs_volume_encryption(Check): report.resource_id = volume.id report.resource_arn = volume.arn report.resource_tags = volume.tags - if volume.encrypted: - report.status = "PASS" - report.status_extended = f"EBS Snapshot {volume.id} is encrypted." - else: + report.status = "PASS" + report.status_extended = f"EBS Snapshot {volume.id} is encrypted." + if not volume.encrypted: report.status = "FAIL" report.status_extended = f"EBS Snapshot {volume.id} is unencrypted." findings.append(report) diff --git a/prowler/providers/aws/services/ec2/ec2_instance_managed_by_ssm/ec2_instance_managed_by_ssm.py b/prowler/providers/aws/services/ec2/ec2_instance_managed_by_ssm/ec2_instance_managed_by_ssm.py index bb1b44e9..69af056e 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_managed_by_ssm/ec2_instance_managed_by_ssm.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_managed_by_ssm/ec2_instance_managed_by_ssm.py @@ -12,18 +12,16 @@ class ec2_instance_managed_by_ssm(Check): report.region = instance.region report.resource_arn = instance.arn report.resource_tags = instance.tags + report.status = "PASS" + report.status_extended = ( + f"EC2 Instance {instance.id} is managed by Systems Manager." + ) + report.resource_id = instance.id if not ssm_client.managed_instances.get(instance.id): report.status = "FAIL" report.status_extended = ( f"EC2 Instance {instance.id} is not managed by Systems Manager." ) - report.resource_id = instance.id - else: - report.status = "PASS" - report.status_extended = ( - f"EC2 Instance {instance.id} is managed by Systems Manager." - ) - report.resource_id = instance.id findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_instance_public_ip/ec2_instance_public_ip.py b/prowler/providers/aws/services/ec2/ec2_instance_public_ip/ec2_instance_public_ip.py index f64846d6..8cfcf318 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_public_ip/ec2_instance_public_ip.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_public_ip/ec2_instance_public_ip.py @@ -11,16 +11,16 @@ class ec2_instance_public_ip(Check): report.region = instance.region report.resource_arn = instance.arn report.resource_tags = instance.tags + report.status = "PASS" + report.status_extended = ( + f"EC2 Instance {instance.id} does not have a Public IP." + ) + report.resource_id = instance.id if instance.public_ip: report.status = "FAIL" report.status_extended = f"EC2 Instance {instance.id} has a Public IP: {instance.public_ip} ({instance.public_dns})." report.resource_id = instance.id - else: - report.status = "PASS" - report.status_extended = ( - f"EC2 Instance {instance.id} does not have a Public IP." - ) - report.resource_id = instance.id + findings.append(report) return findings