diff --git a/prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py b/prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py index dcb0b4e5..b6c599d7 100644 --- a/prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py +++ b/prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py @@ -13,17 +13,21 @@ class fms_policy_compliant(Check): report.status = "PASS" report.status_extended = "FMS enabled with all compliant accounts." non_compliant_policy = False - for policy in fms_client.fms_policies: - for policy_to_account in policy.compliance_status: - if policy_to_account.status == "NON_COMPLIANT": - report.status = "FAIL" - report.status_extended = f"FMS with non-compliant policy {policy.name} for account {policy_to_account.account_id}." - report.resource_id = policy.id - report.resource_arn = policy.arn - non_compliant_policy = True + if fms_client.fms_policies: + for policy in fms_client.fms_policies: + for policy_to_account in policy.compliance_status: + if policy_to_account.status == "NON_COMPLIANT": + report.status = "FAIL" + report.status_extended = f"FMS with non-compliant policy {policy.name} for account {policy_to_account.account_id}." + report.resource_id = policy.id + report.resource_arn = policy.arn + non_compliant_policy = True + break + if non_compliant_policy: break - if non_compliant_policy: - break + else: + report.status = "FAIL" + report.status_extended = f"FMS without any compliant policy for account {fms_client.audited_account}." findings.append(report) return findings diff --git a/prowler/providers/aws/services/fms/fms_service.py b/prowler/providers/aws/services/fms/fms_service.py index 6b95eccf..941bfde2 100644 --- a/prowler/providers/aws/services/fms/fms_service.py +++ b/prowler/providers/aws/services/fms/fms_service.py @@ -66,7 +66,9 @@ class FMS(AWSService): for page in list_compliance_status_paginator.paginate( PolicyId=fms_policy.id ): - for fms_compliance_status in page["PolicyComplianceStatusList"]: + for fms_compliance_status in page.get( + "PolicyComplianceStatusList", [] + ): fms_policy.compliance_status.append( PolicyAccountComplianceStatus( account_id=fms_compliance_status.get("MemberAccount"), diff --git a/tests/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant_test.py b/tests/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant_test.py index 9460c2ca..ab2ba554 100644 --- a/tests/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant_test.py +++ b/tests/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant_test.py @@ -170,3 +170,32 @@ class Test_fms_policy_compliant: assert result[0].resource_id == "12345678901" assert result[0].resource_arn == "arn:aws:fms:us-east-1:12345678901" assert result[0].region == AWS_REGION_US_EAST_1 + + def test_fms_admin_without_policies(self): + fms_client = mock.MagicMock + fms_client.audited_account = AWS_ACCOUNT_NUMBER + fms_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + fms_client.region = AWS_REGION_US_EAST_1 + fms_client.fms_admin_account = True + fms_client.fms_policies = [] + with mock.patch( + "prowler.providers.aws.services.fms.fms_service.FMS", + new=fms_client, + ): + # Test Check + from prowler.providers.aws.services.fms.fms_policy_compliant.fms_policy_compliant import ( + fms_policy_compliant, + ) + + check = fms_policy_compliant() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"FMS without any compliant policy for account {AWS_ACCOUNT_NUMBER}." + ) + assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == fms_client.audited_account_arn + assert result[0].region == AWS_REGION_US_EAST_1