fix(fms): Handle PolicyComplianceStatusList key error (#3230)

Co-authored-by: Sergio Garcia <sergargar1@gmail.com>

prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py

@@ -13,17 +13,21 @@ class fms_policy_compliant(Check):
             report.status = "PASS"
             report.status_extended = "FMS enabled with all compliant accounts."
             non_compliant_policy = False
-            for policy in fms_client.fms_policies:
-                for policy_to_account in policy.compliance_status:
-                    if policy_to_account.status == "NON_COMPLIANT":
-                        report.status = "FAIL"
-                        report.status_extended = f"FMS with non-compliant policy {policy.name} for account {policy_to_account.account_id}."
-                        report.resource_id = policy.id
-                        report.resource_arn = policy.arn
-                        non_compliant_policy = True
+            if fms_client.fms_policies:
+                for policy in fms_client.fms_policies:
+                    for policy_to_account in policy.compliance_status:
+                        if policy_to_account.status == "NON_COMPLIANT":
+                            report.status = "FAIL"
+                            report.status_extended = f"FMS with non-compliant policy {policy.name} for account {policy_to_account.account_id}."
+                            report.resource_id = policy.id
+                            report.resource_arn = policy.arn
+                            non_compliant_policy = True
+                            break
+                    if non_compliant_policy:
                         break
-                if non_compliant_policy:
-                    break
+            else:
+                report.status = "FAIL"
+                report.status_extended = f"FMS without any compliant policy for account {fms_client.audited_account}."
 
             findings.append(report)
         return findings

prowler/providers/aws/services/fms/fms_service.py

@@ -66,7 +66,9 @@ class FMS(AWSService):
                 for page in list_compliance_status_paginator.paginate(
                     PolicyId=fms_policy.id
                 ):
-                    for fms_compliance_status in page["PolicyComplianceStatusList"]:
+                    for fms_compliance_status in page.get(
+                        "PolicyComplianceStatusList", []
+                    ):
                         fms_policy.compliance_status.append(
                             PolicyAccountComplianceStatus(
                                 account_id=fms_compliance_status.get("MemberAccount"),

tests/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant_test.py

@@ -170,3 +170,32 @@ class Test_fms_policy_compliant:
             assert result[0].resource_id == "12345678901"
             assert result[0].resource_arn == "arn:aws:fms:us-east-1:12345678901"
             assert result[0].region == AWS_REGION_US_EAST_1
+
+    def test_fms_admin_without_policies(self):
+        fms_client = mock.MagicMock
+        fms_client.audited_account = AWS_ACCOUNT_NUMBER
+        fms_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+        fms_client.region = AWS_REGION_US_EAST_1
+        fms_client.fms_admin_account = True
+        fms_client.fms_policies = []
+        with mock.patch(
+            "prowler.providers.aws.services.fms.fms_service.FMS",
+            new=fms_client,
+        ):
+            # Test Check
+            from prowler.providers.aws.services.fms.fms_policy_compliant.fms_policy_compliant import (
+                fms_policy_compliant,
+            )
+
+            check = fms_policy_compliant()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"FMS without any compliant policy for account {AWS_ACCOUNT_NUMBER}."
+            )
+            assert result[0].resource_id == AWS_ACCOUNT_NUMBER
+            assert result[0].resource_arn == fms_client.audited_account_arn
+            assert result[0].region == AWS_REGION_US_EAST_1